Using tcpdump with iptables?

iptables tcpdump
5,938

Solution 1

http://en.wikipedia.org/wiki/Promiscuous_mode

In computer networking, promiscuous mode or promisc mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.

This does not bypass any kind of firewall.

Solution 2

Try using the command

 tcpdump -i eth0 -p  nn -s0 -c 2000 -w Attack.cap

By default tcpdump will put the interface into promiscuous mode. For your purposes, I don't believe you need promiscuous mode for what you are doing. Specifying the inteface prevents tcpdump from looking for it, and possibly getting the wrong interface.

tcpdump grabs the raw packets before they get firewalled by iptables, so you will be able to see packets that get dropped or rejected by the firewall.

Share:
5,938

Related videos on Youtube

Asad Moeen
Author by

Asad Moeen

Electrical Engineer, Entrepreneuer, Enthusiast.

Updated on September 18, 2022

Comments

  • Asad Moeen
    Asad Moeen almost 2 years

    I use iptables to block different kind of attacks on my server. We have a different set of rules along with different rate-limit rules. Now I also use a script that would observe the threshold if it were greater than 10mb/s and dump all the packets to a file. This script keeps running all the time in a screen session and uses the following command to dump:

    tcpdump -nn -s0 -c 2000 -w Attack.cap
sleep 300

    Once attacked, it waits 5 minutes to check for another attack (sleep 300). Now I doubt if during the packets capture process, iptables still work because in /var/messages I see lines like "eth0 entered promiscuous mode" and "eth0 left promiscuous mode" so it might over-look iptables?

  • Asad Moeen
    Asad Moeen almost 11 years
    I'm already seeing packets that get dropped by the Firewall so I don't think "promiscious mode" has anything to do there. The only reason why I asked it was because I doubted the firewall not to work because my server made a response to incoming packet but later I realize that the attack maybe passed the filter rules.
  • BillThor
    BillThor almost 11 years
    @AsadMoeen Promiscuous mode can increase the load on your network stack by disabling the Ethernet card's on-board filtering. This depends on the network traffic and the boards capabilities.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

record contents of packets dropped in iptables
Check for packets MARKed by iptables
Does tcpdump bypass iptables?
Using tcpdump to find strings
how to monitor traffic at port 53 (DNS)
tcpdump not picking up traffic redirected by iptables
Tcpdump/Iptables on bridge interface without assigned IP address
iptables drop packet by hex string match
Will tcpdump see packets that are being dropped by iptables?
Iptables FORWARD chain traffic not seen by tcpdump