where do packets arrive first? libpcap or Firewall?

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: ninja123 PostPosted: Wed Jul 08, 2009 1:17 pm    Post subject: where do packets arrive first? libpcap or Firewall?
    ----
Hi all,

In a linux system running net filter, with some general accept/deny iptable rules. Where do packets arrive first? Is it at the libpcap packet sniffing interface or the netfilter framework?

Thanks in advance

Author: hebaLocation: Cremona (Italy) PostPosted: Thu Jul 09, 2009 9:10 am    Post subject:
    ----
hi,
depend if you have installed a modem or a router.

Modem

Internet -> modem -> libpcap packet sniffer-> netfilter

Router

Internet -> router -> netfilter router -> libpcap packet sniffer-> netfiler network


I have explain in great details, I hope it is enough, otherwise I remedy and tell about it more.

Author: abrahamj PostPosted: Tue Sep 21, 2010 4:37 am    Post subject:
    ----
I think that packet arrive at firewall first.

Author: Sgt_BLocation: Chicago, IL US PostPosted: Tue Sep 21, 2010 3:08 pm    Post subject:
    ----
Actually libpcap will see the packet before it is handled by netfilter. So if your iptables denies ICMP and you try to ping the host, tcpdump will show the ICMP echo requests but the firewall will dump the traffic.

Now, I can't remember offhand, but I think the prerouting chain might be different. So if you do some NATing, prerouting might muck with the packet before libpcap sees it. Not positive so test it out on your own if that's important for your results.



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group