LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-26-2015, 12:43 PM   #1
szejiekoh
LQ Newbie
 
Registered: Jun 2014
Posts: 28

Rep: Reputation: Disabled
ngrep before iptables or iptables before ngrep


Dear all,

One of my colleague told me that
ngrep is before iptables -> meaning that if i setup my iptables to block some traffic, doing an ngrep will still allow me to see the attempts coming in.
is it correct ?
I try to simulate the above statement by.

On my server console

Quote:
1) iptables --policy INPUT drop
2) ngrep -d eth0 port 22 (eth0 is my production interface)
On my client console, open putty, choose ssh and input the server ip, and try to connect.

On my server console, i saw this

Quote:
[root-server ~] ngrep -d eth0 port 22
interface: eth0 (192.168.0.0/255.255.255.0)
filter: (port 22) and (ip or ip6)
###
It seems that everytime i try to attempt to connect, i saw a "#"
being display.

Q1) What is the "#" display ?
Q2) In this case, how do i confirm that the incoming ssh request did indeed reach my server (since i cant see any content or source ip information at all) ?

Regards,
Noob
 
Old 01-27-2015, 01:00 PM   #2
szejiekoh
LQ Newbie
 
Registered: Jun 2014
Posts: 28

Original Poster
Rep: Reputation: Disabled
Help anyone ?
 
Old 03-11-2015, 11:04 PM   #3
fatcashews
LQ Newbie
 
Registered: Mar 2015
Posts: 1

Rep: Reputation: Disabled
I know its 2 months since you posted your question, but I too am looking for the answer to this.
 
Old 03-12-2015, 10:00 AM   #4
GunFighT
Member
 
Registered: May 2014
Location: Romania
Distribution: Debian/Ubuntu, Rocky Linux
Posts: 53

Rep: Reputation: Disabled
Hello,

If you set the INPUT policy to DROP, don`t expect to see anything on any interface, because it drops all packets.
At least if you DROP all, try:
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "ssh Incoming port" -j ACCEPT

Then, you can make the capture with ngrep.
The correct order is: ngrep -d ethX port 22.

Also you can capture with tcpdump, tshark/wireshark.

Hope helps.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
https and ngrep sniffer_raghav Linux - Networking 1 06-25-2008 03:54 AM
on ngrep spx2 Linux - Networking 4 05-27-2007 04:17 AM
how to install ngrep package? mr_scary Red Hat 2 08-30-2006 01:24 PM
ngrep questions fakie_flip Linux - Security 4 08-19-2006 07:31 AM
ngrep usage sailu_mvn Linux - Networking 0 01-16-2006 11:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration