1 | initial version |
Does Wireshark capture packets after or before my firewall (iptables) filter the traffic?
Wireshark uses libpcap on UN*Xes, and WinPcap/Npcap on Windows, to capture packets.
Given the "iptables", this is presumably Linux, which is a UN*X, so Wireshark uses libpcap; libpcap, on UN*X, uses PF_PACKET
sockets to capture traffic.
So the questions are:
PF_PACKET
sockets before they are processed by iptables or after they are processed by iptables?PF_PACKET
sockets before they are processed by iptables or after they are processed by iptables?This question on the old Wireshark Q&A site has some discussion of those questions, but not a full-blown deep dive into the Linux networking stack.
I have enough on my plate already to keep me from making such a deep dive at this point, but I suspect that the answer to the first question is "copies of incoming packets are delivered to PF_PACKET
sockets before they are processed by iptables", i.e. fairly close to the point at which the packet is delivered to the networking stack by the network adapter driver, and the answer to the second question is "copies of outgoing packets are delivered to PF_PACKET
sockets after they are processed by iptables", i.e. fairly close to the point at which the packet is delivered by the networking stack to the network adapter driver.
If you want a more authoritative answer, it'd probably be best to ask on a mailing list that discusses the Linux networking stack (and that has people on it familiar with both the point at which PF_PACKET
sockets reside in the stack and the point at which iptables resides in the stack), or on a Q&A site that discusses the Linux networking stack (same parenthetical note).