[arch-general] tcpdump (was: hostapd + ap_isolate)

Uwe Sauter uwe.sauter.de at gmail.com
Sat Oct 23 13:18:07 UTC 2021 


Am 23.10.21 um 14:29 schrieb u34 at net9.ga:
> Uwe Sauter via arch-general <arch-general at lists.archlinux.org> wrote:
> 
>>
>>>> Does the following quote, copied from
>>>> https://wiki.archlinux.org/title/Network_Debugging#Tcpdump, relevant?
>>>
>>>>     they can only see outbound packets the firewall passes through:
>>>> [https://superuser.com/questions/925286/does-tcpdump-bypass-iptables]
>>>
>>>> Perhaps you should disable the firewall, or loosen it, while debugging.
>>>
>>> Thanks for the hint, but it does not apply: (one of) the clients doesn't
>>> even have a firewall enabled and I still cannot see the packages. To me,
>>> it looks, like it doesn't even try to send the pings, because it maybe
>>> thinks, the target is not reachable anyways ...
>>>
>>
>>
>>   From my experience, tcpdump connects to the interface and you will see
>> all traffic regardless of firewall settings, given you have the permissions.
>>
>> In your case I'd first verify that layer 2 is working correctly (layer 2
>> is ethernet or wifi). So I'd use the utilities provided by
>> "wpa_supplicant" or "iw" to see if the "hardware connection" is working
>> as expected.
>>
>> If your wifi card didn't connect on layer 2 it has no reasons to
>> configure layer 3 (IP, IPv6) and above.
>>
>>
>> Regards,
>>
>> 	Uwe
> 
> Is Uwe implying tcpdump can see packets local software is trying to send,
> but the firewall blocks? That is, packets that are blocked, for example,
> by rules in the output chain?

Sorry, that perhaps was poorly worded. You are totally write, if an 
egress packet is discarded by the output or any of the following hooks 
(see [1]), it will be dropped by the kernel and thus cannot be seen by 
tcpdump.

I was referring to ingress packets that tcpdump / wireshark is able to 
capture before the firewall can filter.


[1] https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks


> As far as I know, tcpdump is probing the junction of the the nic and the
> wire. Packets that are blocked by firewall rules in the output chain can
> not reach that point. Which is why tcpdump can not see tham.
> With ascii graphic:
> 
>      [wire] <-> [tcpdump, if activated] <-> [nic] <-> [firewall] <-> [application]
> 
> And somewhat more accurately:
> 
>      [wire] <-> [[nic front end] <-> [tcpdump, if actiavted] <-> [nic back end]] <-> [firewall] <-> [application]
> 
> --
> u34
>

More information about the arch-general mailing list