[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
RE: [LI] Can we look into IP packets throu
- To: "linux-india@xxxxxxxxxxxxxxxxxxxxx" <linux-india@xxxxxxxxxxxxxxxxxxxxx> (Non Receipt Notification Requested) (IPM Return Requested), vijay <vijay@xxxxxxxxxxxxxxx> (Non Receipt Notification Requested) (IPM Return Requested)
- Subject: RE: [LI] Can we look into IP packets throu
- From: LENGARD Pascal OCISI <pascal.lengard@xxxxxxxxxxxxxxxx>
- Date: Tue, 2 Nov 1999 17:45:10 +0100
- Alternate-recipient: Allowed
- Cc: "linux-india-digest@xxxxxxxxxxxxxxxxxxxxx" <linux-india-digest@xxxxxxxxxxxxxxxxxxxxx> (Non Receipt Notification Requested) (IPM Return Requested)
- Discarded-x400-ipms-extensions: iso (1) (3) (6) (1) (7) internet.7 (1) internet.7.1 (1) internet.7.1.1 (3)
- Incomplete-copy:
- Original-encoded-information-types: ia5-text,undefined
- Reply-to: linux-india
- Sender: owner-linux-india@xxxxxxxxxxxxxxxxxxxxx
- X400-content-type: P2-1988 (22)
- X400-mts-identifier: [/PRMD=francetelecom/ADMD=atlas/C=fr/;046B3381F1516010-mtaFT2]
- X400-originator: pascal.lengard@francetelecom.fr
- X400-received: by /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Tue, 2 Nov 1999 17:45:31 +0100
- X400-received: by mta xr3-gw.atlas.fr in /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Tue, 2 Nov 1999 17:45:31 +0100
- X400-received: by /ADMD=ATLAS/C=FR/; Relayed; Tue, 2 Nov 1999 17:45:19 +0100
- X400-received: by /PRMD=francetelecom/ADMD=atlas/C=fr/; Relayed Redirected; Tue, 2 Nov 1999 17:45:10 +0100
- X400-recipients: non-disclosure:;
> hi!!
> as I know we can put firewall on linix using ipchains &
> we can also
> log a packets for any site ,but is there any way of finding
> what were the
> contents in those packets
>
> the logged packed look like this ::
>
> Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025
> L=34 S=0x00 I=18 F=0x0000 T=254
>
> which says the packet lenght was 34 ,
>
> but how could I see the orignal content in this packet ??
>
> thanks in advance!!
this looks like a DNS reply from 192.168.2.1 named daemon (port 53).
to catch this packet, if you can reproduce it, the easiest is to use
tcpdump and
tell it to capture all port 53 packet for host 192.168.1.1 for example.
i believe you could also use this feature in the kernel:
IP: firewall packet netlink device
CONFIG_IP_FIREWALL_NETLINK
If you say Y here, you can use the ipchains tool to copy all or part
of any packet you specify that hits your Linux firewall to optional
user space monitoring software that can then look for attacks and
take actions such as paging the administrator of the site.
To use this, you need to create a character special file under /dev
with major number 36 and minor number 3 using mknod ("man mknod"),
and you need (to write) a program that reads from that device and
takes appropriate action.
pascal
--------------------------------------------------------------------
The Linux India Mailing List Archives are now available. Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.