[Techtalk] tcpdump and iptables

Hans Tegnerud hans_tegnerud at chello.se
Sun Jun 22 02:36:41 EST 2003

Subba Rao wrote:

> I am using iptables on my system.  It is very basic setup that denies all
> outside connections.  When an outside connection is attempted, the packet
> dropped and logged into the syslog.  When I run tcpdump on the same
> I do see a lot of ARP requests and bootps/bootpc (UDP) requests.  Why are
> attempts not logged into syslog?
> Is it because ARP requests are a lower level protocol?

It sounds as if these packets might be destined for other machines and I
believe tcpdump sets the network card into promiscuous mode by default (try
the '-p' switch to tcpdump) and that your iptables rules only log packets
destined for your machine.

> Another question is, when a legitimate packet is allowed and climbing the
> TCP/IP stack, who (iptables or tcpdump) gets to see the packet first?

I believe tcpdump does.
I found the snippet below in the LVS-HOWTO (linuxvirtualserver.org).

"tcpdump makes a copy of packets for its own use. tcpdump gets a copy of the
packets before netfilter (on the way in) and after netfilter (on the way
out). You should see all packets with tcpdump as if netfilter didn't exist.

Joseph Mack, 16 Mar 2001
I'm looking at packets after they've been accepted by TP and I'm using
(among other things) tcpdump.
Where in the netfilter chain does tcpdump look at incoming and outgoing
packets? When they are put on/received from the wire? After the INPUT,
before the OUTPUT chain...?

Before/after any netfilter chains. Such programs hook at packet level
before/after the IP stack just before/after the packet is received/must be
sent from/by the device. They work for other protocols. tcpdump is a packet
receiver just like the IP stack is in the network stack."


Anyone, please enlighten me if I'm wrong.


More information about the Techtalk mailing list