If I understand it correct, I would have to examine pcap file from ulogd and compare it with standard pcap form wireshark. It seems to be very hard work.
As I read in "man iptables" * the ULOG target is as made for such case I'm searching.
Wireshark should offer such possibility to mark/colorize packets which are send to defined netlink socket (==ULOG target).
I would be surprised if such functionality would lack in wireshark.
Is it sure wireshark do not have it ?
--kapetr
----- PŮVODNÍ ZPRÁVA -----
Od: "Jaap Keuter" <jaap.keuter@xxxxxxxxx>
Komu: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Předmět: Re: [Wireshark-users] capturing before/after firewall in
Datum: 29.12.2012 - 17:44:35
> Hi,
>
> I think you should look into ulogd. ulogd is a userspace logging daemon for
> netfilter/iptables related logging.
> (http://www.netfilter.org/projects/ulogd/index.html). Using the
> ulogd_output_PCAP.so plugin you can have it write pcap files.
>
> Thanks,
> Jaap
>
>
> On 12/28/2012 06:58 PM, kapetr wrote:
> > Hello,
> >
> > I run Wireshark in Ubuntu 12.04.1 64b
> >
> > If I see it correct - wireshark shows all incoming packet - even these, which are dropped by firewall (iptables).
> >
> > 1. is this so ?
> >
> > 2. by outgoing packets I expect it will be reversed: wireshark will not show packets dropped by FW ?
> >
> > [in other words: wireshark is bite between FW and NIC driver ?]
> >
> > 3. Is there a way to show in Wireshark ALL in/out packets AND mark (colorize) packets which are/will-be dropped by FW ?
> >
> > [Wireshark would have to monitor also packets between FW and higher layer of system]
> >
> > Thanks --kapetr
> >
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
