Home / server / Questions / 531839
Accepted
Asad Moeen
Asked: 2013-08-19 09:33:00 +0800 CST

Using tcpdump with iptables?

  • 772

I use iptables to block different kind of attacks on my server. We have a different set of rules along with different rate-limit rules. Now I also use a script that would observe the threshold if it were greater than 10mb/s and dump all the packets to a file. This script keeps running all the time in a screen session and uses the following command to dump:

tcpdump -nn -s0 -c 2000 -w Attack.cap
sleep 300

Once attacked, it waits 5 minutes to check for another attack (sleep 300). Now I doubt if during the packets capture process, iptables still work because in /var/messages I see lines like "eth0 entered promiscuous mode" and "eth0 left promiscuous mode" so it might over-look iptables?

iptables

2 Answers

  1. Best Answer

    http://en.wikipedia.org/wiki/Promiscuous_mode

    In computer networking, promiscuous mode or promisc mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is intended to receive.

    This does not bypass any kind of firewall.

    • 4

  2. Try using the command

     tcpdump -i eth0 -p  nn -s0 -c 2000 -w Attack.cap

    By default tcpdump will put the interface into promiscuous mode. For your purposes, I don't believe you need promiscuous mode for what you are doing. Specifying the inteface prevents tcpdump from looking for it, and possibly getting the wrong interface.

    tcpdump grabs the raw packets before they get firewalled by iptables, so you will be able to see packets that get dropped or rejected by the firewall.

    • 3