On Thu, Sep 19, 2002 at 10:39:11PM -0500, Aron Silverton wrote:
> What is the order of operations on a FreeBSD machine using ipfw when
> sniffing packets with Ethereal?
The link-layer interface driver calls "bpf_tap()" or "bpf_mtap()" to
hand packets to BPF before handing them to any other part of the
system...
> It appears that Ethereal is showing me
> packets *before* they are inspected by the firewall.
...in particular, before handing them to IPFW.
> My firewall
> logging shows the packets in question being dropped, but Ethereal shows
> them in the capture. Is there a way to sniff the packets *after* the
> have traversed the firewall rules?
I don't know. I'd suggest asking one of the FreeBSD lists whether
there's any way to do BPF captures (as that's what all libpcap-based
programs, such as Ethereal and tcpdump and snort and so on use to
capture traffic) on the stream of packets that go through ipfw.
