Lucas Mocellin <[EMAIL PROTECTED]> wrote on Thursday, September 25, 2008
7:57:16 PM
> I marked some packets with iptables (-j MARK), and I want to "see" this set.
>
> I tried to search google, but nothing related. tcpdump doesn't seems help
> with that.
The MARK target _associates_ a mark with the packet in the kernel data
structures. That is, the packet itself is not modified. The sniffers tcpdump
and ethereal only see the packages as they come in / go out through the wire.
Even if you MARK a packet that is subsequently sent out on the wire, only the
packet itself, not associated kernel datastructures are available to the
sniffers.
Guessing wildly, there may be a way of creating an extraordinary loopback
device and have the router forward marked packets through that device, and have
the sniffers sniff that device. Lots of research required, I guess.
Regards
