CaptureSetup/NFLOG - The Wireshark Wiki

Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.

Requirements:

Newer version of libpcap (>= cc8520ff5294900d93509eaf843684c51af102a9)
Linux Kernel with NFLOG (CONFIG_NETFILTER_XT_TARGET_NFLOG).

Examples:

Capture packets generated by uid: 1000 to file uid-1000.pcap

# iptables -A OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1
# iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# dumpcap -i nflog:30 -w uid-1000.pcap

Capture tcp packets from/to port 80

# iptables -A INPUT -p tcp -m tcp --sport 80 -j NFLOG --nflog-group 40
# iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 40
# dumpcap -i nflog:40 -w port-80.pcap

External links

http://www.netfilter.org/ - Homepage of netfilter.org

CaptureSetup/NFLOG (last edited 2011-06-17 07:37:22 by JakubZawadzki)

Immutable Page
Comments
Info
Attachments
More Actions:

Original content on this site is available under the GNU General Public License.
See the License page for details.

Powered by MoinMoin and Python.
Please don't pee in the pool.