Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.



# iptables -A OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1
# iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# dumpcap -i nflog:30 -w uid-1000.pcap

# iptables -A INPUT -p tcp -m tcp --sport 80 -j NFLOG --nflog-group 40
# iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 40
# dumpcap -i nflog:40 -w port-80.pcap

CaptureSetup/NFLOG (last edited 2011-06-17 07:37:22 by JakubZawadzki)