All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Pierluigi Frullani" <pigi@frumar.it>
To: Oumer Teyeb <oumer@kom.auc.dk>
Cc: netfilter@lists.netfilter.org
Subject: Re: Tcpdump and libipq
Date: Fri, 10 Oct 2003 09:52:03 +0200 (CEST)	[thread overview]
Message-ID: <51014.212.239.118.101.1065772323.squirrel@www.frumar.it> (raw)

> Hi,

> Then I did an FTP session, and I have a very perplexing result:
> There is a 1 second diff between the timestamps in the data I set and
> the ones from tcpdump, but only when the packets are outgoing.
> For incoming packets it seems the tcpdump timestamp and the timestamp of
> packet from libipq seem the same (ofcourse there can be some microsecond
> differences). Why is it happening this way, and is there a possiblity of
> making tcpdump to save the data only after libipq has taken care of them?

I'm not an expert, but also from my tests, it seems to work the way you
explained before.
This is a bit annoying, because every application based on pcap ( tcpdump,
snort, iptraf ) are not ( completely ) useful for testing purpose.
I have a firewall with an IDS running on the same machine, and set up some
rule to block some suspicious traffic.
The rules are working, as I can see from the iptables logs, and from
sniffing the INSIDE side of the firewall, but if I sniff (tcpdump/iptraf)
the OUTSIDE interface OR if I get a look in snort logs, I can notice those
suspicious packet entering the interface.
Unfortunally this gives me a lot of false positive alert, because the
snort read the packets BEFORE they reach the iptables ( kernel side ).
HTH
Pigi


             reply	other threads:[~2003-10-10  7:52 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-10  7:52 Pierluigi Frullani [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-10-10  9:22 Tcpdump and libipq pigi
2003-10-10  7:32 Oumer Teyeb
2003-10-10  7:20 Oumer Teyeb
2003-10-08  9:14 Oumer Teyeb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51014.212.239.118.101.1065772323.squirrel@www.frumar.it \
    --to=pigi@frumar.it \
    --cc=netfilter@lists.netfilter.org \
    --cc=oumer@kom.auc.dk \
    --cc=pierluigi.frullani@frumar.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.