Le mar 05/08/2003 à 09:52, Edmund a écrit : > Anyway, today I was majorly surprised to see > a Local IP sending a packet to a remote LAN > on port 80. > tcp 192.168.10.3:2041 <-> x.x.x.x:80 > Is this supposed to happen? Assuming that > pktstat listens to the resulting packet > after NAT'd, shouldn't the 192.168.10.3 > be my actual Internet IP? Afaik, libpcap capture outgoing traffic at last routing point, i.e. before NF_IP_POST_ROUTING hook. Thus, packets you get are not yet SNATed. I think it's merely the same for inbound traffic (need someone to confirm), that is captured after NF_IP_PRE_ROUTING hook, and so is already DNATed. It's quite wierd as one would like to capture the very traffic that is sent to the wire or traffic recieved from the wire unaltered, whatever active ruleset. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
