tcpdump and iptables
J. Hunter Heinlen
dracus at TheWorld.com
Mon Jun 23 14:56:22 EDT 2003
Derek Martin wrote:
> When a frame comes into an interface, the kernel (e.g. the iptables
> filters) sees it first before any userland proceses can muck with it.
Are you certain about that? I thought that tcpdump violated the usual
course of stack processing, and got a copy of every packet to be received
by the listening interface before they got placed onto the IP stack,
and that was why tcpdump needed to be executed with setuid as root, and
the packet socket option compiled into the kernel. The support
documentation clearly states that tcpdump communicates directly with
the network device.
Hunter
More information about the Discuss
mailing list