Help with INVALID packets rule. Best way to see the actual packet isloating the rest?‏

Help with INVALID packets rule. Best way to see the actual packet isloating the rest?‏

[Vishal Jumar]

Hello all.

Iam having many entries product of this rule in my syslog... 

iptables -A INPUT -m state --state INVALID -j LOG --log-prefix " Invalid NOT DROPPED"

Output:
==> /var/log/messages <==
Apr 12 10:10:04 server3 kernel:  Invalid NOT DROPPED IN=eth0 OUT= MAC=40:40:f1:21:08:d9:e0:5f:b9:4a:5f:ff:08:00 SRC=50.50.193.113 DST=164.177.152.170 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=26573 DF PROTO=TCP SPT=56602 DPT=80 WINDOW=16425 RES=0x00 ACK FIN URGP=0


How can I view the packet that this rule match is originating?  There  must be a better way then sniffing all the traffic for 15 min from port 80.. because that would produce toooo much data.

Regards,
Vishal
 		 	   		  

Re: Help with INVALID packets rule. Best way to see the actual packet isloating the rest?‏

[Andrew Beverley]

On Thu, 2012-04-12 at 16:25 +0000, Vishal Jumar wrote:
> iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "
> Invalid NOT DROPPED"
...
> How can I view the packet that this rule match is originating?

You may be able to use ulogd as the target instead. The following
website might help; it describes capturing strange packets and examining
them later with wireshark.

http://rm-rf.ca/blog/fun-iptables-ulogd-and-wireshark

Andy