[clug] iptables to simulate promiscuous interface

James Polley clug at zhasper.com
Tue Jan 13 06:31:41 GMT 2009

There is nothing more worthy of contempt than a man who quotes himself
- Zhasper, 2004

On Tue, Jan 13, 2009 at 2:35 PM, jm <jeffm at ghostgun.com> wrote:
> I've trying to use fprobe-ulog instead of the normal fprobe to fix the
> problem I mentianed in an earlier post. This fix was suggested by someone on
> the flow-tools mailing list. fprobe-ulog relies on the iptables target ULOG
> to forward matching traffic to it. This is were I seem to be hitting a snag.
> Diagramatically, the set up is,
>       mirrored         netflow
>        traffic
> router --------> fprobe -------> flow-collector ----> custom script
>          eth2                    lo0
> The traffic arriving at eth2 needs to be selected via a suitable iptables
> rule in the correct table to simulate putting that interface into
> promiscuous mode.

It's been a while since I've played with this, but I don't think
there's any way to "simulate" putting the interface into promiscuous
mode. If it's being promiscuous it will forward up the stack all
frames it received; if it isn't being promiscuous, it will only
forward up the stack packets addressed to it - and so iptables will
never get a chance to see the packet.

Normally you'd have your netflow collector somewhere central: last
time I set one up, it was on the router that forwarded all traffic to
Teh Interwebs. It got to see all the traffic because it was the
default gateway for all machines on the network - but it didn't see
any chatter between the hosts on the network.

If you don't have fprobe running in such a place, the libpcap variant
of fprobe might work for you better, especially given that you've
confirmed that libpcap can see the packets.

Out of curiosity: if the card is set in promiscuous mode (by running
tcpdump), does iptables then see the traffic?

(incidentally, tcpdump has a "-p" flag which tells it not to set
promiscuous mode -but the man page warns that some other process might
have set promiscuous mode, so you may see extra traffic anyway)

> It would be something along the lines of,
> iptables -t raw -I PREROUTING -i eth2 -j ULOG
> I've tried the nat, mangle, and raw tables with the PREROUTING chain, but I
> don't seem to be matching the anywhere near the number of expocted packets
> nor seeing the expected activity in fprobe-ulog. This is confirmed by
> running ulogd with a default configuration. The logs are rather sparse. What
> is the correct iptables command to do this? Is this actually possible or
> should I be looking at something else (eg, ebtables)?
> Lastly,
> tcpdump -i eth2 -n
> confirms that the desired traffic does exist on this interface. (thought I
> better double check before I post this).
> Jeff.
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list