Iptables and tcpdump question
When you are running tcpdump does it see the network traffic before iptables is run or after?
I have a backup server that doesn't do anything during the daytime and I also have a Intrusion Detection server(IDS), sometimes I see some oddball traffic coming through the IDS server but there is so much info that I cannot just look at that, I wanted to use iptables to redirect the traffic to my backup machine and then use tcpdump to just look at the packets I am redirecting. Where the problem comes in is I have constent traffic from router protocols and netbios queries and such that I am having trouble just seeing what traffic is being redirected. Is there a way I can just block all the traffic going to the backup machine except for whats comming from the IDS server? When I block the traffic in iptables it seems that tcpdump picks it up before it is blocked by iptables. |
Tcpdump shows the packets as they are in the cable.
You can give tcpdump rules to select what to show/not show. You could use an alternative sniffer such as ethereal. |
All times are GMT -5. The time now is 08:11 PM. |