Using tcpdump to find out the TTL of a packet going outside my box

Menestrel · 07-30-2005, 12:02 PM

I patched iptables with patch-o-matic and recompiled my kernel in order to use the TTL chain to change my TTL to 128. How can I verify with tcpdump that actually iptables is modifing this value of the TTL ?

the rule is:
iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 128

is it OK ?

fr_laz · 07-30-2005, 12:12 PM

Hi,

looks quite right to me...
using tcpdump you'll have to look at the ip header structure to know which field you're looking for. if you've got a X server running, I'll suggest to use ethereal which will make the work for you (ethereal's gui makes things very easy to interprete).

Menestrel · 07-30-2005, 12:37 PM

no sorry, I have no X server installed, I did a tcpdump -vv|grep 128, and it appears that my rule is working.

I have another question when I issue the above command, packet I caught by tcpdump when leaving the POSTROUTING chain and the PREROUTING chain ?

kolt · 10-26-2005, 09:18 AM

hi, Menestrel! i'd like to use the same rule

Quote:

iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 128

but i can't manage the patching part

. would you please tell me how should i do it; what kernel did you patch; does it matter what version of patch-o-matic you use?
of course anyone is welcome to help

thanks in advance!

Menestrel · 01-20-2006, 11:03 AM

well, you need to have your kernel source downloaded and untared, then you download the latest patch-o-matic and then untar it, then from the pathc-o-matic directory run: KERNEL_DIR=path_to_kernel /runme extra, and select yes for the ttl patch, then recompile your kernel and select the TTL target in the netfilter configuration.