Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.
- libpcap 1.2.1 or newer (commit cc8520ff5294900d93509eaf843684c51af102a9)
- Linux Kernel with NFLOG (CONFIG_NETFILTER_XT_TARGET_NFLOG).
- Effective UID 0 (root) or the CAP_NET_ADMIN capability.
According to the iptables-extensions(8) manual page, NFLOG usually passes packets to a multicast group of a netlink socket which requires CAP_NET_ADMIN as documented in the netlink(7) manual page.
- Capture packets generated by uid: 1000 to file uid-1000.pcap
## Important: -m owner cannot be used with INPUT since it matches originating sockets only. ## To track responses to outgoing traffic, a connection mark has to be set in OUTPUT and matched in INPUT. # iptables -A OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1 # iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 # iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 # dumpcap -i nflog:30 -w uid-1000.pcap
- Capture tcp packets from/to port 80
# iptables -A INPUT -p tcp -m tcp --sport 80 -j NFLOG --nflog-group 40 # iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 40 # dumpcap -i nflog:40 -w port-80.pcap
The maximum payload size that can be captured is 65531 bytes (65535 is the maximum TLV length, minus two bytes for the length, minus two bytes for the NFULA_PAYLOAD type). On interfaces with a larger MTU, this will result in truncation.
Affected is the Loopback interface where the default MTU is 65536 since Linux 3.7, so the last four bytes of an IP payload could be lost. If capturing everything is important, lower the MTU. For example:
# ip link set lo mtu 65528
- https://www.netfilter.org/ - Homepage of netfilter.org
Imported from https://wiki.wireshark.org/CaptureSetup/NFLOG on 2020-08-11 23:11:59 UTC