When you are running tcpdump does it see the network traffic before iptables is run or after?

I have a backup server that doesn't do anything during the daytime and I also have a Intrusion Detection server(IDS), sometimes I see some oddball traffic coming through the IDS server but there is so much info that I cannot just look at that, I wanted to use iptables to redirect the traffic to my backup machine and then use tcpdump to just look at the packets I am redirecting.

Where the problem comes in is I have constent traffic from router protocols and netbios queries and such that I am having trouble just seeing what traffic is being redirected. Is there a way I can just block all the traffic going to the backup machine except for whats comming from the IDS server? When I block the traffic in iptables it seems that tcpdump picks it up before it is blocked by iptables.

Tcpdump shows the packets as they are in the cable.

You can give tcpdump rules to select what to show/not show.

You could use an alternative sniffer such as ethereal.