Wireshark · Ethereal-users: Re: [Ethereal-users] Where does ethereal hook into Linux 2.4

Ethereal-users: Re: [Ethereal-users] Where does ethereal hook into Linux 2.4

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Molen <rmolen@xxxxxxxxxxxx>

Date: Sat, 13 Apr 2002 20:46:08 -0700

Thanks for the response Guy,

I figured that ethereal was not the thing that actually hooked into thekernel, but it is nice to know thespecifics. I considered posting my query on the linux networkingmailing list, but thought that

many ethereal users may have had the same question.

With the info you provided, I should be able to post on the networkingmailing list & get an

answer -- thanks again for your help.

-Ric


Date: Fri, 12 Apr 2002 13:09:02 -0700
From: Guy Harris <guy@xxxxxxxxxx>
To: Richard Molen <rmolen@xxxxxxxxxxxx>
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Where does ethereal hook into Linux 2.4

On Fri, Apr 12, 2002 at 12:01:00PM -0700, Richard Molen wrote:

Where does ethereal (& presumably tcpdump) hook into the new Linuxkernel 2.4.16 using netfilter & iptables?

Nowhere. They just call libpcap, and let *it* do the hooking. [:-)]

Now, the next question would then be "where does libpcap hook into the
new Linux kernel 2.4.16 using netfilter & iptables?"

The answer to that question is "the same place it hooks into any other
Linux 2.2[.x] or 2.4[.x] kernel - through a PF_PACKET socket."

The next question would be "where do PF_PACKETS tap into the network
data stream in a 2.4.16 system using netfilter & iptables?"

I don't know the answer offhand, and don't have time to search for it
(either in documentation or, as I fear would be required, the code); I'd
suggest asking on, say, the linux-net mailing list, if nobody else on
this list happens to know the answer.


Date: Fri, 12 Apr 2002 12:01:00 -0700
From: Richard Molen <rmolen@xxxxxxxxxxxx>
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Where does ethereal hook into Linux 2.4

Where does ethereal (& presumably tcpdump) hook into the new Linuxkernel 2.4.16 using netfilter & iptables?

Any help would be appreciated.

The netfilter documentation shows basically the following...

eth1>-|A|----PREROUTING-------ROUTING-------FORWARD---------POSTROUTING----|A|---> eth1|^||INOUT||--------------local host-----------

When using 'ethereal' to monitor the interface to the ISP at eth1 atpoint '|A|', it seems that IP Masquerading is not manglingthe source address in the POSTROUTING hook for host1 traffic. It seemsto work fine from the local host though.


[ISP]------[<eth1>-|A|--local host--<eth0>]-----[host1]

Richard Molen

Prev by Date: Re: [Ethereal-users] Required help for the syntax format which can be used for offline analysis
Next by Date: [Ethereal-users] Re:
Previous by thread: Re: [Ethereal-users] Where does ethereal hook into Linux 2.4
Next by thread: [Ethereal-users] Required help for the syntax format which can be used for offline analysis
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$