views:

502

answers:

2

hi,

i have rule set up to drop udp/tcp packets with matching strings. however, my program which captures packet using libpcap, is still able to see this packet.

Why is this/, what should be the iptable rules to drop packets before it is seen by libpcap?

Is there anyway,perhaps other than iptables rules, to drop this packet before it is seen by libpcap/tcpdump?

+2  A: 

Yes, libpcap sees all the packets.. They are being captured before being processed by the netfilter.

Anonymous
thanks, any other way,apart from iptables, to drop this packets, before they reach libpcap?
Kazoom
If those are non-lan packets You could drop them on the router.
Reef
Also libpcap-based programs usually allow You to supply a filter in the standard tcpdump format.
Reef
is it possible that aprtables or ebtables block the packets before libpcap hooks in?
jdizzle
+1  A: 

Theres no way for libpcap to see the packets before netfilter, netfilter is a kernel module, and processes all packets before they hit user mode, it can even see the packets before the kernel sees it. Could you explain further explain ? Its possible that libpcap is also setting hooks on netfilter that overwrite the one in iptables. The real issue is that looking and what hooks are set on netfilter is far from trivial, and can only be done in kernel mode. Investigate how libpcap gets the packets.

daniel
libpcap doesn't use netfilter hooks to capture the packets. libpcap captures packets before it is passed to the TCP/IP stack
codingfreak