This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hello, using iptables

[email protected]:~# iptables -A INPUT -s 192.168.1.5 -p udp -j DROP

i wanted do drop all incoming udp packets, but i don't know why wireshark see all this packets. Moreover

iptables -L -n -v

says that packets were droped.

asked 11 Jun '11, 16:03

azazzel01's gravatar image

azazzel01
1111
accept rate: 0%


One basic rule of network analysis is that you never run the analysis tool on the same system as the device under test (or device under suspicion) as that might nog give you the right picture (as you are experiencing).

What you would want to do is run wireshark twice on systems on span/mirror ports that span/mirror the traffic on the outside and inside interfaces of the system running iptables. Then you can see the effect and effectiveness of the iptables rules in place.

permanent link

answered 11 Jun '11, 22:04

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

ok, thanks for help. I have just did it using ulogd and plugin to id ulogd-pcap. In this way iptables creates a pcap file with packets which were not dropped and it can be easiy open by wireshark.

(11 Jun '11, 23:12) azazzel01

My guess is that libpcap captures the packets just before they get processed (and blocked if UDP) by your iptables engine.

If your iptables machine is routing the packets you might wanna check on the other side if they exit as well (in which case your iptables has a problem). If it is an endpoint you should check if any UDP packet ever gets answered - either by an UDP packet if there is a service on that port, or an ICMP port unreachable packet if there is not. If you see none of these reply packets dropping the UDP packets obviously works.

permanent link

answered 11 Jun '11, 16:21

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

yes, You are right i have found some information, that libpcap works just before netfilter and that's why wireshark see all the packets. I have chaced it using:

[email protected]:~# iptables -L INPUT -n -v

and iptables shows that the packets were dropped but it doesn't solve my problem. I wrote simple C program which sends udp packets to some other computer (with iptables dropping) and i need to know exactly which packets were dropped. Because wireshark shows all packets and iptables shows only number of dropped packets is it possible to check it ?

Thank You for help and sorry for my english, i am not native english speaker.

(11 Jun '11, 17:09) azazzel01
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×7

question asked: 11 Jun '11, 16:03

question was seen: 9,062 times

last updated: 11 Jun '11, 23:12

p​o​w​e​r​e​d by O​S​Q​A