• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

where do packets arrive first? libpcap or Firewall?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
ninja123
Just Arrived
Just Arrived


Joined: 30 Jun 2009
Posts: 0


Offline

PostPosted: Wed Jul 08, 2009 1:17 pm    Post subject: where do packets arrive first? libpcap or Firewall? Reply with quote

Hi all,

In a linux system running net filter, with some general accept/deny iptable rules. Where do packets arrive first? Is it at the libpcap packet sniffing interface or the netfilter framework?

Thanks in advance
Back to top
View user's profile Send private message
heba
Just Arrived
Just Arrived


Joined: 09 Jan 2006
Posts: 4
Location: Cremona (Italy)

Offline

PostPosted: Thu Jul 09, 2009 9:10 am    Post subject: Reply with quote

hi,
depend if you have installed a modem or a router.

Modem

Internet -> modem -> libpcap packet sniffer-> netfilter

Router

Internet -> router -> netfilter router -> libpcap packet sniffer-> netfiler network


I have explain in great details, I hope it is enough, otherwise I remedy and tell about it more.
Back to top
View user's profile Send private message
abrahamj
Just Arrived
Just Arrived


Joined: 28 Feb 2010
Posts: 0


Offline

PostPosted: Tue Sep 21, 2010 4:37 am    Post subject: Reply with quote

I think that packet arrive at firewall first.
Back to top
View user's profile Send private message Send e-mail
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Tue Sep 21, 2010 3:08 pm    Post subject: Reply with quote

Actually libpcap will see the packet before it is handled by netfilter. So if your iptables denies ICMP and you try to ping the host, tcpdump will show the ICMP echo requests but the firewall will dump the traffic.

Now, I can't remember offhand, but I think the prerouting chain might be different. So if you do some NATing, prerouting might muck with the packet before libpcap sees it. Not positive so test it out on your own if that's important for your results.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register