Logging the whole packet
rtilley at vt.edu
Wed Nov 24 02:12:28 CET 2004
Jason Opperisano wrote:
>On Tue, Nov 23, 2004 at 04:50:28PM -0500, Brad Tilley wrote:
>>Is it possible to log the packet body and not just the header?
>>Currently I have this line in my iptables start-up file:
>>/sbin/iptables -I INPUT -p tcp -s ! 126.96.36.199 -d 188.8.131.52 -j
>>And it generates log entries such as this:
>>Nov 23 16:44:28 athop1 kernel: Packet_Filter:IN=eth0 OUT=
>>DST=184.108.40.206 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=29621 DF
>>PROTO=TCP SPT=60366 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
>>I'd like to capture the packet body as well. I'm new to packet logging
>>so forgive me if I'm over looking the obvious.
>AFAIK, the normal LOG target cannot actually do this. instead, use the
>ULOG target which will copy the entire packet to the userspace ulogd
>daemon where you can use the ulogd_PCAP.so plugin to create a tcpdump
>file of the packets you are interested in. check out:
>for more details about ulogd.
>"Television! Teacher, mother, secret lover."
> --The Simpsons
Thanks, that works great. I had to recompile the kernel to get ULOG
support, but other than that, it's rather straightforward. I added this
line to my iptables startup script:
/sbin/iptables -I INPUT -p tcp -s ! 220.127.116.11 -d 18.104.22.168 -j
ULOG --ulog-prefix "Packet_Filter:"
I'm using the /usr/lib/ulogd/ulogd_OPRINT.so plugin to write the packet
capture to a file for now. Here's a sample of what it looks like:
Now, all I need to do is figure out what's in the packet body. Any
pointers on that? Ideally I'd like to write a script that recreates
keystrokes from packets that contain ssh session info. Probably
off-topic here, but I thought I'd ask. Thanks for the ULOG tip!
More information about the netfilter