iptables and libpcap

views:

502

answers:

+2 Q:

iptables and libpcap

hi,

i have rule set up to drop udp/tcp packets with matching strings. however, my program which captures packet using libpcap, is still able to see this packet.

Why is this/, what should be the iptable rules to drop packets before it is seen by libpcap?

Is there anyway,perhaps other than iptables rules, to drop this packet before it is seen by libpcap/tcpdump?

+2 A:

Yes, libpcap sees all the packets.. They are being captured before being processed by the netfilter.

Anonymous 2009-05-06 13:10:23

thanks, any other way,apart from iptables, to drop this packets, before they reach libpcap?

Kazoom 2009-05-06 13:16:44

If those are non-lan packets You could drop them on the router.

Reef 2009-05-06 17:28:23

Also libpcap-based programs usually allow You to supply a filter in the standard tcpdump format.

Reef 2009-05-06 17:29:56

is it possible that aprtables or ebtables block the packets before libpcap hooks in?

jdizzle 2009-05-13 19:59:46

+1 A:

Theres no way for libpcap to see the packets before netfilter, netfilter is a kernel module, and processes all packets before they hit user mode, it can even see the packets before the kernel sees it. Could you explain further explain ? Its possible that libpcap is also setting hooks on netfilter that overwrite the one in iptables. The real issue is that looking and what hooks are set on netfilter is far from trivial, and can only be done in kernel mode. Investigate how libpcap gets the packets.

daniel 2009-06-03 04:55:09

libpcap doesn't use netfilter hooks to capture the packets. libpcap captures packets before it is passed to the TCP/IP stack

codingfreak 2009-10-08 08:08:07

ansaurus

tags:

views:

answers:

iptables and libpcap

related questions