This wiki has been migrated to and is now deprecated. Please use that site instead.

Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.


According to the iptables-extensions(8) manual page, NFLOG usually passes packets to a multicast group of a netlink socket which requires CAP_NET_ADMIN as documented in the netlink(7) manual page.


## Important: -m owner cannot be used with INPUT since it matches originating sockets only.
## To track responses to outgoing traffic, a connection mark has to be set in OUTPUT and matched in INPUT.
# iptables -A OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1
# iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# dumpcap -i nflog:30 -w uid-1000.pcap

# iptables -A INPUT -p tcp -m tcp --sport 80 -j NFLOG --nflog-group 40
# iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 40
# dumpcap -i nflog:40 -w port-80.pcap


The maximum payload size that can be captured is 65531 bytes (65535 is the maximum TLV length, minus two bytes for the length, minus two bytes for the NFULA_PAYLOAD type). On interfaces with a larger MTU, this will result in truncation.

Affected is the Loopback interface where the default MTU is 65536 since Linux 3.7, so the last four bytes of an IP payload could be lost. If capturing everything is important, lower the MTU. For example:

# ip link set lo mtu 65528

CaptureSetup/NFLOG (last edited 2020-03-07 19:34:34 by PeterWu)