ULOG/NFLOG on a non-forwarding machine

ULOG/NFLOG on a non-forwarding machine

[Benny Amorsen]

We have a monitor server in place which we use to get flow
information. Currently libpcap-based is in use, but it would be nice
to be able to use ULOG or NFLOG for this.

The challenge is that the monitor-server does not actually forward any
packets. It is connected to a mirror-port on a switch, so that it is
able to see all traffic. However, the traffic does not show up in any
netfilter chains, because no routing or bridging is in place on the
monitor server.

Is there a way to catch incoming traffic which is neither INPUT nor
FORWARD with netfilter?


/Benny

Re: ULOG/NFLOG on a non-forwarding machine

[Grant Taylor]

On 9/23/2008 4:50 AM, Benny Amorsen wrote:
> Is there a way to catch incoming traffic which is neither INPUT nor 
> FORWARD with netfilter?

You /might/ be able to catch some traffic *if* the Linux TCP/IP stack 
thought that it was appropriately addressed to the system.

I think you will have better luck doing this with bridging as bridging 
is (more) accustom to dealing with traffic that may or may not be 
addressed to the local system.

It may be possible to get IPTables to log some information about packets 
that it thinks are completely erroneous, but I'm thinking that if it is 
possible, it will be severely limited.



Grant. . . .

Re: ULOG/NFLOG on a non-forwarding machine

[Benny Amorsen]

Grant Taylor <gtaylor@riverviewtech.net> writes:

> You /might/ be able to catch some traffic *if* the Linux TCP/IP stack
> thought that it was appropriately addressed to the system.

That is exactly the problem. The network stack doesn't think it needs
to do anything with the packets.

> I think you will have better luck doing this with bridging as bridging
> is (more) accustom to dealing with traffic that may or may not be
> addressed to the local system.

If the kernel has to forward the packet, the performance advantages of
using NFLOG probably disappear.

I guess I'm sticking to libpcap then.


/Benny

Re: ULOG/NFLOG on a non-forwarding machine

[Grant Taylor]

On 09/25/08 04:07, Benny Amorsen wrote:
> That is exactly the problem. The network stack doesn't think it needs 
> to do anything with the packets.

*nod*

> If the kernel has to forward the packet, the performance advantages 
> of using NFLOG probably disappear.

Eh...

> I guess I'm sticking to libpcap then.

Consider looking at bridging and allowing IPTables to see bridged 
traffic.  The traffic will end up being dropped or not forwarded because 
there is no destination on the other side.  However in the process I 
think the traffic will pass through IPTables thus allowing you to do 
what you are wanting to do.



Grant. . . .

Re: ULOG/NFLOG on a non-forwarding machine

[Philip Craig]

Benny Amorsen wrote:
> Is there a way to catch incoming traffic which is neither INPUT nor
> FORWARD with netfilter?

Have you tried PREROUTING?

Re: ULOG/NFLOG on a non-forwarding machine

[Benny Amorsen]

Philip Craig <philipc@snapgear.com> writes:

> Benny Amorsen wrote:
>> Is there a way to catch incoming traffic which is neither INPUT nor
>> FORWARD with netfilter?
>
> Have you tried PREROUTING?

Yes, I have tried PREROUTING and I've tried the nat and mangle tables.
No luck.


/Benny

Re: ULOG/NFLOG on a non-forwarding machine

[Покотиленко Костик]

В Птн, 26/09/2008 в 10:43 +1000, Philip Craig пишет:
> Benny Amorsen wrote:
> > Is there a way to catch incoming traffic which is neither INPUT nor
> > FORWARD with netfilter?
> 
> Have you tried PREROUTING?

Also, have you tried putting interface in "promiscous mode". This way it
will receive all packets including those not addessed to the host
itself. They would be dropped later, but you still can grab them.

-- 
Покотиленко Костик <casper@meteor.dp.ua>