Wireshark · Ethereal-users: Re: [Ethereal-users] Ethereal and FreeBSD IPFW

Ethereal-users: Re: [Ethereal-users] Ethereal and FreeBSD IPFW

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Mon, 7 Oct 2002 15:02:47 -0700

On Thu, Sep 19, 2002 at 10:39:11PM -0500, Aron Silverton wrote:
> What is the order of operations on a FreeBSD machine using ipfw when 
> sniffing packets with Ethereal?

The link-layer interface driver calls "bpf_tap()" or "bpf_mtap()" to
hand packets to BPF before handing them to any other part of the
system...

> It appears that Ethereal is showing me 
> packets *before* they are inspected by the firewall.

...in particular, before handing them to IPFW.

> My firewall 
> logging shows the packets in question being dropped, but Ethereal shows 
> them in the capture.  Is there a way to sniff the packets *after* the 
> have traversed the firewall rules?

I don't know.  I'd suggest asking one of the FreeBSD lists whether
there's any way to do BPF captures (as that's what all libpcap-based
programs, such as Ethereal and tcpdump and snort and so on use to
capture traffic) on the stream of packets that go through ipfw.

Prev by Date: Re: [Ethereal-users] i cannot start collecting data
Next by Date: Re: [Ethereal-users] Using Ethereal with Cisco SPAN
Previous by thread: Re: [Ethereal-users] i cannot start collecting data
Next by thread: Re: [Ethereal-users] Using Ethereal with Cisco SPAN
Index(es):
- Date
- Thread