FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 09-25-2008, 05:57 PM
"Lucas Mocellin"
 
Default how to sniff marked packets by iptables

Hi,

I marked some packets with iptables (-j MARK), and I want to "see" this set.

I tried to search google, but nothing related. tcpdump doesn't seems help with that.

Have anyone any idea?


Thanks,

Lucas Mocellin.
 
Old 09-25-2008, 06:03 PM
"Andre Luiz Rodrigues Ferreira"
 
Default how to sniff marked packets by iptables

Hi!
Try: tcpdump -vvv

2008/9/25 Lucas Mocellin <lucasmocellin@gmail.com>:
> Hi,
>
> I marked some packets with iptables (-j MARK), and I want to "see" this set.
>
> I tried to search google, but nothing related. tcpdump doesn't seems help
> with that.
>
> Have anyone any idea?
>
> Thanks,
>
> Lucas Mocellin.
>



--
Andre Luiz Rodrigues Ferreira (si0ux)
-----------------------------------------------------
andrelrf@gmail.com
http://www.debianart.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 09-25-2008, 06:13 PM
"Lucas Mocellin"
 
Default how to sniff marked packets by iptables

I tried.. no success

this is the output:
15:12:09.691627 IP (tos 0x0, ttl* 63, id 12765, offset 0, flags [DF], proto: TCP (6), length: 40) 10.12.15.10.1433 > 72.246.216.16.80: ., cksum 0xa017 (corre

ct), 1:1(0) ack 1 win 64240

this packet is marked with 0x4bf, but no information on tcpdump.

2008/9/25 Andre Luiz Rodrigues Ferreira <andrelrf@gmail.com>

Hi!

Try: tcpdump -vvv



2008/9/25 Lucas Mocellin <lucasmocellin@gmail.com>:

> Hi,

>

> I marked some packets with iptables (-j MARK), and I want to "see" this set.

>

> I tried to search google, but nothing related. tcpdump doesn't seems help

> with that.

>

> Have anyone any idea?

>

> Thanks,

>

> Lucas Mocellin.

>







--

Andre Luiz Rodrigues Ferreira (si0ux)

-----------------------------------------------------

andrelrf@gmail.com

http://www.debianart.org
 
Old 09-25-2008, 06:21 PM
"Andre Luiz Rodrigues Ferreira"
 
Default how to sniff marked packets by iptables

Hmm...
Try save packets with tcpdump to a file and look at them
with ethereal.

tcpdump -s 1500 -w packets.dump

2008/9/25 Lucas Mocellin <lucasmocellin@gmail.com>:
> I tried.. no success
>
> this is the output:
> 15:12:09.691627 IP (tos 0x0, ttl 63, id 12765, offset 0, flags [DF], proto:
> TCP (6), length: 40) 10.12.15.10.1433 > 72.246.216.16.80: ., cksum 0xa017
> (corre
> ct), 1:1(0) ack 1 win 64240
>
> this packet is marked with 0x4bf, but no information on tcpdump.
>
> 2008/9/25 Andre Luiz Rodrigues Ferreira <andrelrf@gmail.com>
>>
>> Hi!
>> Try: tcpdump -vvv
>>
>> 2008/9/25 Lucas Mocellin <lucasmocellin@gmail.com>:
>> > Hi,
>> >
>> > I marked some packets with iptables (-j MARK), and I want to "see" this
>> > set.
>> >
>> > I tried to search google, but nothing related. tcpdump doesn't seems
>> > help
>> > with that.
>> >
>> > Have anyone any idea?
>> >
>> > Thanks,
>> >
>> > Lucas Mocellin.
>> >
>>
>>
>>
>> --
>> Andre Luiz Rodrigues Ferreira (si0ux)
>> -----------------------------------------------------
>> andrelrf@gmail.com
>> http://www.debianart.org
>
>



--
Andre Luiz Rodrigues Ferreira (si0ux)
-----------------------------------------------------
andrelrf@gmail.com
http://www.debianart.org


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 09-25-2008, 07:12 PM
"Lucas Mocellin"
 
Default how to sniff marked packets by iptables

Yes, ethereal doesn't work too.

well, I think this is true, but must be something to sniff this "marks"

thanks,

Lucas.

2008/9/25 Brian Schrock <schrock.brian@gmail.com>

I was never under the impression that marking packets does anything to the packet itself. It only makes modifications to the struct that represents the packet in the kernel. Tcpdump only looks at the packet, therefore mark'ing a packet does nothing to the packet that the network would ever see. Internal only.



On Thu, Sep 25, 2008 at 1:57 PM, Lucas Mocellin <lucasmocellin@gmail.com> wrote:


Hi,

I marked some packets with iptables (-j MARK), and I want to "see" this set.

I tried to search google, but nothing related. tcpdump doesn't seems help with that.

Have anyone any idea?




Thanks,

Lucas Mocellin.
 
Old 09-29-2008, 12:34 PM
Djingo Cacadril
 
Default how to sniff marked packets by iptables

Lucas Mocellin <lucasmocellin@gmail.com> wrote on Thursday, September 25, 2008 7:57:16 PM

> I marked some packets with iptables (-j MARK), and I want to "see" this set.
>
> I tried to search google, but nothing related. tcpdump doesn't seems help with that.

The MARK target _associates_ a mark with the packet in the kernel data structures. That is, the packet itself is not modified. The sniffers tcpdump and ethereal only see the packages as they come in / go out through the wire. Even if you MARK a packet that is subsequently sent out on the wire, only the packet itself, not associated
kernel datastructures are available to the sniffers.

Guessing wildly, there may be a way of creating an extraordinary loopback device and have the router forward marked packets through that device, and have the sniffers sniff that device. Lots of research required, I guess.

Regards
 
Old 09-29-2008, 12:52 PM
Mariusz Kruk
 
Default how to sniff marked packets by iptables

On pon, 2008-09-29 at 05:34 -0700, Djingo Cacadril wrote:
> Lucas Mocellin <lucasmocellin@gmail.com> wrote on Thursday, September
> 25, 2008 7:57:16 PM
>
> > I marked some packets with iptables (-j MARK), and I want to "see"
> this set.
> >
> > I tried to search google, but nothing related. tcpdump doesn't seems
> help with that.
>
> The MARK target _associates_ a mark with the packet in the kernel data
> structures. That is, the packet itself is not modified. The sniffers
> tcpdump and ethereal only see the packages as they come in / go out
> through the wire. Even if you MARK a packet that is subsequently sent
> out on the wire, only the packet itself, not associated kernel
> datastructures are available to the sniffers.
>
> Guessing wildly, there may be a way of creating an extraordinary
> loopback device and have the router forward marked packets through
> that device, and have the sniffers sniff that device. Lots of research
> required, I guess.

There is a possibility to do a 'routing thru a loop'.
http://lists.netfilter.org/pipermail/netfilter/2005-April/059970.html
It's extremely ugly solution (even though it's mine ;->), but I think
you'd need it if you want to inspect the actual connection. Just routing
the packets away thru a dummy device wouldn't solve the problem since no
connections could be made.
OTOH, if you don't need to browse the payload, you could just stick with
-j LOG.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 09-29-2008, 01:33 PM
"Lucas Mocellin"
 
Default how to sniff marked packets by iptables

Ok, I understood, but create a dummy device to sniff it in a operation server I think it is not the best solution.

But, I have never thought about -j LOG, kkkkkkkkkkk if I do a filter by the mark, and -j LOG, I think it's sufficient.


thanks!!

Lucas.

2008/9/29 Mariusz Kruk <kruk@epsilon.eu.org>

On pon, 2008-09-29 at 05:34 -0700, Djingo Cacadril wrote:

> Lucas Mocellin <lucasmocellin@gmail.com> wrote on Thursday, September

> 25, 2008 7:57:16 PM

>

> > I marked some packets with iptables (-j MARK), and I want to "see"

> this set.

> >

> > I tried to search google, but nothing related. tcpdump doesn't seems

> help with that.

>

> The MARK target _associates_ a mark with the packet in the kernel data

> structures. That is, the packet itself is not modified. The sniffers

> tcpdump and ethereal only see the packages as they come in / go out

> through the wire. Even if you MARK a packet that is subsequently sent

> out on the wire, only the packet itself, not associated kernel

> datastructures are available to the sniffers.

>

> Guessing wildly, there may be a way of creating an extraordinary

> loopback device and have the router forward marked packets through

> that device, and have the sniffers sniff that device. Lots of research

> required, I guess.



There is a possibility to do a 'routing thru a loop'.

http://lists.netfilter.org/pipermail/netfilter/2005-April/059970.html

It's extremely ugly solution (even though it's mine ;->), but I think

you'd need it if you want to inspect the actual connection. Just routing

the packets away thru a dummy device wouldn't solve the problem since no

connections could be made.

OTOH, if you don't need to browse the payload, you could just stick with

-j LOG.







--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 09-29-2008, 09:17 PM
Alex Samad
 
Default how to sniff marked packets by iptables

On Mon, Sep 29, 2008 at 10:33:38AM -0300, Lucas Mocellin wrote:
> Ok, I understood, but create a dummy device to sniff it in a operation
> server I think it is not the best solution.
>
> But, I have never thought about -j LOG, kkkkkkkkkkk if I do a filter by the
> mark, and -j LOG, I think it's sufficient.

use ulog, it can store packets in pcap style

alex

>
> thanks!!
>
> Lucas.
>
> 2008/9/29 Mariusz Kruk <kruk@epsilon.eu.org>
>
> > On pon, 2008-09-29 at 05:34 -0700, Djingo Cacadril wrote:
> > > Lucas Mocellin <lucasmocellin@gmail.com> wrote on Thursday, September
> > > 25, 2008 7:57:16 PM
> > >
> > > > I marked some packets with iptables (-j MARK), and I want to "see"
> > > this set.
> > > >
> > > > I tried to search google, but nothing related. tcpdump doesn't seems
> > > help with that.
> > >
> > > The MARK target _associates_ a mark with the packet in the kernel data
> > > structures. That is, the packet itself is not modified. The sniffers
> > > tcpdump and ethereal only see the packages as they come in / go out
> > > through the wire. Even if you MARK a packet that is subsequently sent
> > > out on the wire, only the packet itself, not associated kernel
> > > datastructures are available to the sniffers.
> > >
> > > Guessing wildly, there may be a way of creating an extraordinary
> > > loopback device and have the router forward marked packets through
> > > that device, and have the sniffers sniff that device. Lots of research
> > > required, I guess.
> >
> > There is a possibility to do a 'routing thru a loop'.
> > http://lists.netfilter.org/pipermail/netfilter/2005-April/059970.html
> > It's extremely ugly solution (even though it's mine ;->), but I think
> > you'd need it if you want to inspect the actual connection. Just routing
> > the packets away thru a dummy device wouldn't solve the problem since no
> > connections could be made.
> > OTOH, if you don't need to browse the payload, you could just stick with
> > -j LOG.
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
> >

--
"Tommy (Thompson) is a good listener, and he's a pretty good actor, too. "

- George W. Bush
08/13/2002
Waco, TX
apparently confusing his Health and Human Services secretary with Sen. Fred Thompson
 

Thread Tools




All times are GMT. The time now is 09:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org