hello, using iptables
i wanted do drop all incoming udp packets, but i don't know why wireshark see all this packets. Moreover
says that packets were droped.
asked 11 Jun '11, 16:03
One basic rule of network analysis is that you never run the analysis tool on the same system as the device under test (or device under suspicion) as that might nog give you the right picture (as you are experiencing).
What you would want to do is run wireshark twice on systems on span/mirror ports that span/mirror the traffic on the outside and inside interfaces of the system running iptables. Then you can see the effect and effectiveness of the iptables rules in place.
answered 11 Jun '11, 22:04
My guess is that libpcap captures the packets just before they get processed (and blocked if UDP) by your iptables engine.
If your iptables machine is routing the packets you might wanna check on the other side if they exit as well (in which case your iptables has a problem). If it is an endpoint you should check if any UDP packet ever gets answered - either by an UDP packet if there is a service on that port, or an ICMP port unreachable packet if there is not. If you see none of these reply packets dropping the UDP packets obviously works.
answered 11 Jun '11, 16:21