Hi, Thanks for explanation. I was following this howto http://computer-outlines.over-blog.com/article-nftables-7-nftables-logging-123303629.html ...and I totally missed that the guy is using dumpcap to log packets. So maybe in that case it can log prefix as well. Anyway, that does not work in my case, I only need simple nft logging in pcap format. On 13-04-2018 12:14, Anton Danilov wrote: > Hi. > > There isn't support of log prefix writing into pcap. > > Read this: https://wiki.wireshark.org/Development/LibpcapFileFormat > > > On 13 April 2018 at 01:19, darius <dram@xxxxxxxxxxx> wrote: >> Hello all, >> >> I'm trying to get prefix logged into pcap file, the same way as it is >> done in syslog. Everything works out of the box with syslog, but it >> doesn't with pcap format. I have enabled stack in ulogd.conf: >> >> # this is a stack for NFLOG packet-based logging to PCAP >> stack=log2:NFLOG,base1:BASE,pcap1:PCAP >> >> [log2] >> group=1 >> >> [pcap1]file="/var/log/ulogd.pcap" >> sync=1 >> >> Loggin rule in nftables looks simple: >> >> tcp dport {ssh} counter log prefix "IN" group 1 log prefix "_INPUT_" >> group 2 accept >> >> >> So, packets are logged: both in syslog and pcap. I can see prefix in >> syslog with 'logread', but there is no prefix in pcap file when I >> analyze it in Wireshark. Logging itself works ok. Any ideas what I'm >> doing wrong? >> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
