Re: netfilter hook questions

From: Hayim Shaul
Date: Tue Mar 06 2007 - 07:27:18 EST

On Thu, 1 Mar 2007, topi wrote:


El Thu, 01 Mar 2007 12:25:23 +0700
Mulyadi Santosa <mulyadi.santosa@xxxxxxxxx> ha escrit:

the problem is that with a active RTP flow arriving to the box
(tcpdump can see it) my function doesn't get any packet.

however, when the same box that is capturing also participates in
the RTP flow, it's received correctly in the hook.

so, why is not working the promiscuous mode? i'm missing something?

I am just adding another "suspect" here. The tcpdump (which is using
libpcap) might be operating at layer 2 (data link?), while netfilter
operates in layer 3. Since this is just "sniffing", layer 2 of Linux
network stack quickly revealed that this packet is not actually for
your machine, so it it dropped.

yes, it's what now i know, netfilter hooks only get traffic that comes
in layer 3, but i saw that there's a 'promisc' patch (for Linux 2.4) at:

and i don't know if its a similar feature for Linux 2.6, that will be
my solution.

Have you tried commenting out the "if" that checks the MAC address?
I tried it once with 2.6.8, and as far as I saw and remember it worked
I know it's not robust, but it's a quick solution.

i wrote to netfilter-devel mailing list
(with no results at the moment)

Maybe, you can observe the code from program like Dug Song's dsniff
and see how it did the monitoring or even packet interception.

yes, but i need to get this working in kernel space, so it's an
academic work. in addition, the module can block traffic, when running
in a router, and for this reason i implemented it in kernel space.

thanks for your help,




To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at