|
|
Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.
|
|
|
|
|
|
## Requirements:
|
|
|
|
|
|
- libpcap 1.2.1 or newer (commit cc8520ff5294900d93509eaf843684c51af102a9)
|
|
|
- Linux Kernel with NFLOG (CONFIG\_NETFILTER\_XT\_TARGET\_NFLOG).
|
|
|
- Effective UID 0 (root) or the CAP\_NET\_ADMIN capability.
|
|
|
|
|
|
According to the [iptables-extensions(8)](http://ipset.netfilter.org/iptables-extensions.man.html) manual page, NFLOG usually passes packets to a multicast group of a netlink socket which requires CAP\_NET\_ADMIN as documented in the [netlink(7)](http://man7.org/linux/man-pages/man7/netlink.7.html) manual page.
|
|
|
|
|
|
## Examples:
|
|
|
|
|
|
- Capture packets generated by uid: 1000 to file uid-1000.pcap
|
|
|
|
|
|
<!-- end list -->
|
|
|
|
|
|
## Important: -m owner cannot be used with INPUT since it matches originating sockets only.
|
|
|
## To track responses to outgoing traffic, a connection mark has to be set in OUTPUT and matched in INPUT.
|
|
|
# iptables -A OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1
|
|
|
# iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30
|
|
|
# iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30
|
|
|
# dumpcap -i nflog:30 -w uid-1000.pcap
|
|
|
|
|
|
- Capture tcp packets from/to port 80
|
|
|
|
|
|
<!-- end list -->
|
|
|
|
|
|
# iptables -A INPUT -p tcp -m tcp --sport 80 -j NFLOG --nflog-group 40
|
|
|
# iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 40
|
|
|
# dumpcap -i nflog:40 -w port-80.pcap
|
|
|
|
|
|
## Caveats
|
|
|
|
|
|
The maximum payload size that can be captured is **65531 bytes** (65535 is the maximum TLV length, minus two bytes for the length, minus two bytes for the NFULA\_PAYLOAD type). On interfaces with a larger MTU, this will result in truncation.
|
|
|
|
|
|
Affected is the Loopback interface where the default MTU is 65536 since [Linux 3.7](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cf833aefaa85bbfce3ff70485e5534e09254773), so the last four bytes of an IP payload could be lost. If capturing everything is important, lower the MTU. For example:
|
|
|
|
|
|
# ip link set lo mtu 65528
|
|
|
|
|
|
## External links
|
|
|
|
|
|
- <https://www.netfilter.org/> - Homepage of netfilter.org
|
|
|
|
|
|
---
|
|
|
|
|
|
Imported from https://wiki.wireshark.org/CaptureSetup/NFLOG on 2020-08-11 23:11:59 UTC |