On Mon, Jun 16, 2003 at 10:56:04PM +1000, George Vieira wrote: > If I'm not wrong, I think tcpdump works on a different layer to netfilter so even though it's dropped I think tcpdump still sees them.... but I may be wrong. > Does it eventually give out DHCP IP's or receives an IP addres or doesn't it? If DHCP isn't working then it's probably dropped but tcpdumps still sees them.. > > I just did a test from work to home which I'm defiantely blockinh port 6665 and I get the same results but I know 6665 is being dropped... yet TCPDUMP catches it before netfilter. > > Jun 16 22:52:24 newjackswing kernel: INET IN=ppp0 OUT= MAC= SRC=203.111.79.114 DST=150.101.112.146 LEN=60 TOS=0x00 PREC=0xE0 TTL=50 ID=44842 DF PROTO=TCP SPT=3698 DPT=6665 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405840402080A0B09245F0000000001030300) > > [root@xxxxxxxxxxxx /usr]# tcpdump -x port 6665 > Kernel filter, protocol ALL, datagram packet socket > tcpdump: listening on all devices > 22:52:24.984380 if134 < work.domain.com.3698 > myhome.domain.com.6665: S 614501237:614501237(0) win 5840 <mss 1412,sackOK,timestamp 185148511 0,nop,wscale 0> (DF) [tos 0xe0] > 45e0 003c af2a 4000 3206 76d8 cb6f 4f72 > 9665 7092 0e72 1a09 24a0 8b75 0000 0000 > a002 16d0 0795 0000 0204 0584 0402 080a > 0b09 245f 0000 0000 0103 0300 > > So I think I might be right? Anybody wanna shed some light with this layer stuff ;) I'm confused on that part ;P You are right. tcpdump would see the packets before any filter chains... Ramin
