Hi
I am using Debian squeeze with tcpdump version 4.1.1 with libpcap version 1.1.1
and i'm having problems capturing traffic from loopback interface lo. I use
tcpdump -i lo -vv.
I have the server setup with stunnel running in transparent mode which i
believe uses a tproxy'ish setup since it needs the below code.
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
This all works fine and as part of my setup i need to mark packets as they
leave interface lo so i do iptables -t mangle -A OUTPUT -o lo -p tcp -j MARK
--set-mark 2 and this marks the packets fine. If i log/trace these packets i
can see them in /var/log/messages. For example
debian kernel: [76198.428894] ---[MANGLE (OUTPUT)]:--- IN= OUT=lo SRC=10.0.0.10
DST=10.0.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63684 DF PROTO=TCP SPT=1249
DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0 MARK=0x2
The problem is while tcpdump is running for interface lo i can't see this
traffic and was wondering if this was by design or if i had to enable some
extra feature in the config?
If i ping 127.0.0.1 i see the tcpdump traffic so i know it is working, just not
for the above traffic.
If anyone can explain this behavior id appreciate to know.
many thanks
flo
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
