Iptables and tcpdump question
When you are running tcpdump does it see the network traffic before iptables is run or after?
I have a backup server that doesn't do anything during the daytime and I also have a Intrusion Detection server(IDS), sometimes I see some oddball traffic coming through the IDS server but there is so much info that I cannot just look at that, I wanted to use iptables to redirect the traffic to my backup machine and then use tcpdump to just look at the packets I am redirecting.
Where the problem comes in is I have constent traffic from router protocols and netbios queries and such that I am having trouble just seeing what traffic is being redirected. Is there a way I can just block all the traffic going to the backup machine except for whats comming from the IDS server? When I block the traffic in iptables it seems that tcpdump picks it up before it is blocked by iptables.
|