Wireshark · Wireshark-users: Re: [Wireshark-users] capturing before/after firewall in Linux

Wireshark-users: Re: [Wireshark-users] capturing before/after firewall in Linux

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>

Date: Sat, 29 Dec 2012 17:44:35 +0100

Hi,

I think you should look into ulogd. ulogd is a userspace logging daemon fornetfilter/iptables related logging.(http://www.netfilter.org/projects/ulogd/index.html). Using theulogd_output_PCAP.so plugin you can have it write pcap files.


Thanks,
Jaap


On 12/28/2012 06:58 PM, kapetr wrote:

Hello,

I run Wireshark in Ubuntu 12.04.1 64b

If I see it correct - wireshark shows all incoming packet - even these, which are dropped by firewall (iptables).

1. is this so ?

2. by outgoing packets I expect it will be reversed: wireshark will not show packets dropped by FW  ?

[in other words: wireshark is bite between FW and NIC driver ?]

3. Is there a way to show in Wireshark ALL in/out packets AND mark (colorize) packets which are/will-be dropped by FW ?

[Wireshark would have to monitor also packets between FW and higher layer of system]

Thanks --kapetr

Follow-Ups:
- Re: [Wireshark-users] capturing before/after firewall in Linux
  - From: kapetr

References:
- [Wireshark-users] capturing before/after firewall in Linux
  - From: kapetr

Prev by Date: [Wireshark-users] capturing before/after firewall in Linux
Next by Date: [Wireshark-users] Is there any reason for "rawshark -s" not to actually *read* the pcap header and use the byte order and link-layer header type?
Previous by thread: [Wireshark-users] capturing before/after firewall in Linux
Next by thread: Re: [Wireshark-users] capturing before/after firewall in Linux
Index(es):
- Date
- Thread