Package: ulogd2
Version: 2.0.8-1
Severity: normal
Today - for the first time in probably 15+ years - I wanted to capture the
actual packets
dropped within netfilter in a pcap file. The method I developed during my
netfilter days
20 year ago for this is the PCAP output plugin of ulogd.
To my knowledge it's the only method which allows you to capture the actual
binary packet
violating your iptables or nftables policy for later analysis in wireshark or
other pcap
related tools.
However, I was surprised to see that the ulogd2 package both in Debian stable
as well
as unstable doesn't contain the PCAP output plugin. Is that a conscious
decision? I would
think it's a rather useful feature to have.
Also, the example config file contains PCAP related sections, making this even
more confusing. So you
uncomment parts of the example config that gets installed
(stack=log2:NFLOG,base1:BASE,pcap1:PCAP) and then it
fails due to not finding the PCAP plugin with either with
Apr 03 19:02:11 lakshmi1 ulogd[3579]: can't find requested plugin PCAP
(in the plugin auto-load case , or with
Apr 03 19:02:38 lakshmi1 ulogd[3607]: load_plugin:
'/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so':
/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so: cannot open shared object
file: No such file or directory
(in the case one explicitly wants to load the plugin via the commented-out line
from the sample config file.
Given that building the pcap plugin is enabled by default, I guess it must be
explicitly disabled with
--disable-pcap in the debian package, so I guess it's a conscious decision and
not an accident?
Thanks for looking into this.
-- System Information:
Debian Release: 12.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-7-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ulogd2 depends on:
ii adduser3.132
ii init-system-helpers1.65.2
ii libc6 2.36-8
ii libmnl01.0.4-3
ii libnetfilter-acct1 1.0.3-3
ii libnetfilter-conntrack31.0.9-3
ii libnetfilter-log1 1.0.2-3
ii libnfnetlink0 1.0.2-2
ii lsb-base 11.6
ii sysvinit-utils [lsb-base] 3.06-3
ulogd2 recommends no packages.
Versions of packages ulogd2 suggests:
pn ulogd2-dbi
pn ulogd2-json
pn ulogd2-mysql
pn ulogd2-pcap
pn ulogd2-pgsql
pn ulogd2-sqlite3
-- Configuration Files:
/etc/ulogd.conf [Errno 13] Permission denied: '/etc/ulogd.conf'
-- no debconf information
