This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark see packets which should be dropped by iptables

0

hello, using iptables

[email protected]:~# iptables -A INPUT -s 192.168.1.5 -p udp -j DROP

i wanted do drop all incoming udp packets, but i don't know why wireshark see all this packets. Moreover

iptables -L -n -v

says that packets were droped.

asked 11 Jun '11, 16:03

azazzel01's gravatar image

azazzel01
1111
accept rate: 0%


2 Answers:

1

One basic rule of network analysis is that you never run the analysis tool on the same system as the device under test (or device under suspicion) as that might nog give you the right picture (as you are experiencing).

What you would want to do is run wireshark twice on systems on span/mirror ports that span/mirror the traffic on the outside and inside interfaces of the system running iptables. Then you can see the effect and effectiveness of the iptables rules in place.

answered 11 Jun '11, 22:04

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

ok, thanks for help. I have just did it using ulogd and plugin to id ulogd-pcap. In this way iptables creates a pcap file with packets which were not dropped and it can be easiy open by wireshark.

(11 Jun '11, 23:12) azazzel01

0

My guess is that libpcap captures the packets just before they get processed (and blocked if UDP) by your iptables engine.

If your iptables machine is routing the packets you might wanna check on the other side if they exit as well (in which case your iptables has a problem). If it is an endpoint you should check if any UDP packet ever gets answered - either by an UDP packet if there is a service on that port, or an ICMP port unreachable packet if there is not. If you see none of these reply packets dropping the UDP packets obviously works.

answered 11 Jun '11, 16:21

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

yes, You are right i have found some information, that libpcap works just before netfilter and that's why wireshark see all the packets. I have chaced it using:

[email protected]:~# iptables -L INPUT -n -v

and iptables shows that the packets were dropped but it doesn't solve my problem. I wrote simple C program which sends udp packets to some other computer (with iptables dropping) and i need to know exactly which packets were dropped. Because wireshark shows all packets and iptables shows only number of dropped packets is it possible to check it ?

Thank You for help and sorry for my english, i am not native english speaker.

(11 Jun '11, 17:09) azazzel01