Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iptables -J NFLOG and tcpdump - much gnashing of teeth!
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 510
Location: Switzerland

PostPosted: Thu Sep 12, 2013 9:13 pm    Post subject: iptables -J NFLOG and tcpdump - much gnashing of teeth! Reply with quote

Out of curiosity I've been trying to log particular traffic on my LAN, so I've setup some iptables that include:

Code:

...
iptables -A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -j NFLOG --nflog-group 2
iptables -A FORWARD -p tcp -d 192.168.XXX.XXX -j NFLOG --nflog-group 2
iptables -A FORWARD -p udp -d 192.168.XXX.XXX -j NFLOG --nflog-group 2
...
iptables -A INPUT -p all -i wlan0 -j NFLOG --nflog-group 1


They work, when I fire up wireshark & point it at the NFLOG interface I can see all the interesting traffic logged.
But when I run:

Code:

tcpdump -i nflog:1 -w /home/nflog-1-${DUMP_LOG_DATE}.log
tcpdump -i nflog:2 -w /home/nflog-2-${DUMP_LOG_DATE}.log


I get:

Code:
tcpdump: WARNING: SIOCGIFADDR: nflog:1: No such device
tcpdump: /home/nflog-0-20130912-230157.log: No such file or directory
tcpdump: WARNING: SIOCGIFADDR: nflog:2: No such device
tcpdump: /home/nflog-1-20130912-230157.log: No such file or directory



What gives? I notice that wireshark runs dumpcap like this:

Code:
dumpcap -n -i nflog -y NFLOG -U zone


So I tried a similar thing with tcpdump:

Code:

# tcpdump -i nflog -w /home/blah.log
tcpdump: Can't listen on group group index: Operation not permitted


tcpdump relies on libpcap (built with netlink support) and iptables itself seems to be built correctly:
Code:

# for M in iptables libpcap netfilter tcpdump; do eix -I $M; done
[I] net-firewall/iptables
     Available versions:  1.4.6 1.4.10 ~1.4.10-r1 1.4.11.1-r2 ~1.4.12 1.4.12.1 ~1.4.12.1-r1 1.4.13 ~1.4.13-r2 ~1.4.14-r1 ~1.4.15-r1 ~1.4.16.2 1.4.16.3 ~1.4.17 {ipv6 netlink static-libs}
     Installed versions:  1.4.16.3(22:19:59 09/12/13)(ipv6 netlink -static-libs)
     Homepage:            http://www.iptables.org/
     Description:         Linux kernel (2.4+) firewall, NAT and packet mangling tools

[I] net-libs/libpcap
     Available versions:  1.1.1-r1 1.3.0-r1 {bluetooth canusb ipv6 netlink static-libs}
     Installed versions:  1.3.0-r1(22:17:11 09/12/13)(ipv6 netlink -bluetooth -canusb -static-libs)
     Homepage:            http://www.tcpdump.org/
     Description:         A system-independent library for user-level network packet capture

[I] net-libs/libnetfilter_conntrack
     Available versions:  1.0.0 ~1.0.1 1.0.2 {static-libs}
     Installed versions:  1.0.2(00:33:22 02/23/13)(-static-libs)
     Homepage:            http://www.netfilter.org/projects/libnetfilter_conntrack/
     Description:         programming interface (API) to the in-kernel connection tracking state table

[I] net-analyzer/tcpdump
     Available versions:  3.9.8 3.9.8-r1 ~4.1.1 ~4.2.0 ~4.2.1 4.3.0 {(+)chroot ipv6 (-)samba smi ssl suid test}
     Installed versions:  4.3.0(22:19:22 09/12/13)(chroot ipv6 ssl -samba -smi -suid -test)
     Homepage:            http://www.tcpdump.org/
     Description:         A Tool for network monitoring and data acquisition


Heeeeelp! :oops:
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
derzol
n00b
n00b


Joined: 17 Sep 2013
Posts: 1

PostPosted: Tue Sep 17, 2013 3:05 pm    Post subject: Re: iptables -J NFLOG and tcpdump - much gnashing of teeth! Reply with quote

What gives? I notice that wireshark runs dumpcap like this:

Code:
dumpcap -n -i nflog -y NFLOG -U zone


Perhaps:
Code:
dumpcap -i nflog:1 -w /home/nflog-1.pcap
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum