On Sun, Mar 03, 2002 at 08:37:49PM -0500, Ashley Thomas wrote: > If i run a IDS on a firewall: > - will the IDS see the packets which are blocked by the firewall. > (IDS is run on the ouside interface of the firewall) > > The question reduces to: > - will the libpcap get those packets which are blocked by firewall ?
That depends on whether the firewall code throws away packets before they get handed to the OS's low-level capture mechanism or not. I don't know what the various firewall mechanisms do, so I can't answer the question other than to, as per the previous paragraph, say "it depends". I *suspect* that BSD-based filters will show the packets to BPF, and thus to libpcap, as BPF gets handed packets by the driver at a fairly low level. I can't speak for Linux, systems that use DLPI, Windows, etc. (and can only guess even for BSD). - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
