- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
For one of my subject to school I had to work on project using netlink sockets.
I decided to work with netfilter subsystem, and one of possible use of netfilter is to get packets logged by the kernel packet filter (ULOG/NFLOG target).
When you capture from network interfaces you can use BPF to filter traffic.
But BPF is stateless and can only filter only from frame data.
In contrast iptables can not only match data from packet, but it can get information from tcp/ip stack, and you can use many extensions of iptables or write your own.
IMHO one of most interesting use cases is sniffing using netfilter owner module.
(which can be used to filter packets generated for example by suspicious user or malware).
man 8 iptables list these options:
Unfortunetly on my Linux-220.127.116.11 SMP system it's possible only to use three: -- uid-owner, --gid-owner and --socket-exists.
But it's still good!
You can also put NFLOG as last target of your firewall and filter data which passed firewall.
(wireshark see packets which should be dropped by iptables)
It can be also used by people who finds BPF syntax hard, and prefers to grep/gawk output of tcpdump ;)
Project was handed, I got A ;-) but after GSoC I might work on:
NFQUEUE is also used by DAQ (Snort IDS library)
|Patch for dumpcap||17.12 KB|