Ask Your Question
0

Wireshark capture packets after or before firewall

asked 2023-04-05 06:31:59 +0000

TatnocGL gravatar image

Hi Does Wireshark capture packets after or before my firewall (iptables) filter the traffic?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2023-04-06 07:57:01 +0000

Guy Harris gravatar image

Does Wireshark capture packets after or before my firewall (iptables) filter the traffic?

Wireshark uses libpcap on UN*Xes, and WinPcap/Npcap on Windows, to capture packets.

Given the "iptables", this is presumably Linux, which is a UN*X, so Wireshark uses libpcap; libpcap, on UN*X, uses PF_PACKET sockets to capture traffic.

So the questions are:

  1. Are copies of incoming packets delivered to PF_PACKET sockets before they are processed by iptables or after they are processed by iptables?
  2. Are copies of outgoing packets delivered to PF_PACKET sockets before they are processed by iptables or after they are processed by iptables?

This question on the old Wireshark Q&A site has some discussion of those questions, but not a full-blown deep dive into the Linux networking stack.

I have enough on my plate already to keep me from making such a deep dive at this point, but I suspect that the answer to the first question is "copies of incoming packets are delivered to PF_PACKET sockets before they are processed by iptables", i.e. fairly close to the point at which the packet is delivered to the networking stack by the network adapter driver, and the answer to the second question is "copies of outgoing packets are delivered to PF_PACKET sockets after they are processed by iptables", i.e. fairly close to the point at which the packet is delivered by the networking stack to the network adapter driver.

If you want a more authoritative answer, it'd probably be best to ask on a mailing list that discusses the Linux networking stack (and that has people on it familiar with both the point at which PF_PACKET sockets reside in the stack and the point at which iptables resides in the stack), or on a Q&A site that discusses the Linux networking stack (same parenthetical note).

edit flag offensive delete link more

Comments

Thank you for your answer. That is everything what i need to know at this point.

TatnocGL gravatar imageTatnocGL ( 2023-04-06 09:59:21 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-04-05 06:31:59 +0000

Seen: 2,237 times

Last updated: Apr 06 '23