Re: netfilter hook questions

From: topi
Date: Thu Mar 01 2007 - 05:27:54 EST


El Thu, 01 Mar 2007 12:25:23 +0700
Mulyadi Santosa <mulyadi.santosa@xxxxxxxxx> ha escrit:

> Hi
> > the problem is that with a active RTP flow arriving to the box
> > (tcpdump can see it) my function doesn't get any packet.
> >
> > however, when the same box that is capturing also participates in
> > the RTP flow, it's received correctly in the hook.
> >
> > so, why is not working the promiscuous mode? i'm missing something?
> >
> I am just adding another "suspect" here. The tcpdump (which is using
> libpcap) might be operating at layer 2 (data link?), while netfilter
> operates in layer 3. Since this is just "sniffing", layer 2 of Linux
> network stack quickly revealed that this packet is not actually for
> your machine, so it it dropped.

yes, it's what now i know, netfilter hooks only get traffic that comes
in layer 3, but i saw that there's a 'promisc' patch (for Linux 2.4) at:

and i don't know if its a similar feature for Linux 2.6, that will be
my solution.

i wrote to netfilter-devel mailing list
(with no results at the moment)

> Maybe, you can observe the code from program like Dug Song's dsniff
> and see how it did the monitoring or even packet interception.

yes, but i need to get this working in kernel space, so it's an
academic work. in addition, the module can block traffic, when running
in a router, and for this reason i implemented it in kernel space.

thanks for your help,


> regards,
> Mulyadi
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at