tcpdump and packets filtered by iptables

Discussion in 'Linux Networking' started by AlexZ, May 26, 2004.

  1. AlexZ

    AlexZ Guest


    Does tcpdump on an interface see the packets that are filtered out by
    iptables rules? Does it matter if it's in INPUT or FORWARD chain?

    This is probably documented somewhere but I can't find (I do not feel
    up to reading kernel source ;)
    Thank a lot

    AlexZ, May 26, 2004
    1. Advertisements

  2. No and yes.

    From the man page:

    Tcpdump prints out the headers of packets on a network interface
    that match the boolean expression.

    Note that it only listens on an interface - i.e. the point at which the
    packets enter or leave the computer.

    If you know your iptables then you know that only the ouput chain of any
    table is filtered; the correct sequence (for the standard filter table) is:

    wire -> NIC -> tcpdump -> INPUT chain


    OUPUT chain -> tcpdump -> NIC -> wire.

    tcpdump listens in between the NIC and the iptables kernel code.
    Then don't; even though iptables functionality is included in the kernel
    the actual program is on
    Go there and be edified.
    Jeroen Geilman, May 27, 2004
    1. Advertisements

  3. AlexZ

    AlexZ Guest

    Thanks a lot. This note is missing from tcpdump 3.6 on redhat 7.2

    I do enjoy reading well written docs - and netfilter guides are among my
    favorites ;)

    AlexZ, May 27, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.