[clug] iptables to simulate promiscuous interface

jm jeffm at ghostgun.com
Tue Jan 13 03:35:07 GMT 2009

I've trying to use fprobe-ulog instead of the normal fprobe to fix the 
problem I mentianed in an earlier post. This fix was suggested by 
someone on the flow-tools mailing list. fprobe-ulog relies on the 
iptables target ULOG to forward matching traffic to it. This is were I 
seem to be hitting a snag. Diagramatically, the set up is,

        mirrored         netflow
 router --------> fprobe -------> flow-collector ----> custom script
           eth2                    lo0

The traffic arriving at eth2 needs to be selected via a suitable 
iptables rule in the correct table to simulate putting that interface 
into promiscuous mode. It would be something along the lines of,

 iptables -t raw -I PREROUTING -i eth2 -j ULOG

I've tried the nat, mangle, and raw tables with the PREROUTING chain, 
but I don't seem to be matching the anywhere near the number of expocted 
packets nor seeing the expected activity in fprobe-ulog. This is 
confirmed by running ulogd with a default configuration. The logs are 
rather sparse. What is the correct iptables command to do this? Is this 
actually possible or should I be looking at something else (eg, ebtables)?


 tcpdump -i eth2 -n

confirms that the desired traffic does exist on this interface. (thought 
I better double check before I post this).


More information about the linux mailing list