Which chain of the iptables receives the sniffed packets

Question

Host C is using wireshark to sniff packets from Host A to Host B. I am able to see those packets from wireshark but I am not able to find them in the PREROUTING chain of iptables. When Host C arpspoofs Host A and B, I can then see the packets in my PREROUTING chain.

Without arpspoofing, those packets that I sniffed from A to B will appear in which chain of the iptables?

those packets are not destined for C, so there is no reason for iptables to process those packets ... — schroeder, Apr 12 '17 at 12:05

score 0 · Accepted Answer · answered Apr 12 '17 at 12:07

Without ARP spoofing, the packets with an ethernet destination different from host C’s own address will not reach any chain of netfilter.

When you use wireshark, it sets the ethernet NIC in promiscuous mode, to see packets with other destinations, but they are still not handled by the kernel and netfilter.

Which chain of the iptables receives the sniffed packets

1 Answers1