On Wed, Jun 29, 2011 at 11:37 AM, Andrey <and...@cs.dal.ca> wrote: > Somebody told me this: > AF_PACKET sockets bypass Netfilter. > He did not explain to much and I don't have any experience with those terms. > Do you know what it means? How can I fix this?
If memory serves, AF_PACKET does bypass netfilter. When the packet arrives in Linux tcpdump uses the AF_PACKET path which (effectively) creates a copy of the packet and sends it to tcpdump, the other copy of the packet goes to the IP receive function which then goes on to netfilter. tcpdump also puts the interface in promiscuous mode, so it will see packets that won't be seen normally (not filtered by MAC address). I think the -p option for tcpdump makes it not run in promiscuous mode (see the man page for more details). --michael ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
