Capturing packets via l7filter

Question

As a part of my Ph. D study, I compile linux-2.6.28 kernel to support in-kernel l7filtering capabilities.

I'm adding a single rule to iptables with the following:

iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j NFQUEUE

I wrote a standard capture program using libipq to read packets from queue.

For testing, I m sending a single http session composed of 18 packets which include two HTTP requests and reply data from another machine.

Problem is that my capture program only receives two packets, the first packets of HTTP replies ( that are matched by the filter.) while I hope to receive all 18 packets.

What I need is to be able to read all packets (not only the matched packets) of a matched session.

For instance, if I want to capture and analyze Yahoo Email Message Sessions only among all HTTP sessions, can I use l7filter to pass only packets of relevant sessions (Yahoo Email Message Session) ?

Thanks.

Answer 1

If all you're trying to do is filter your packet capture to see only HTTP traffic to a certain host, you can probably just do it by looking at the port and host. Use tcpdump or tshark with filters. Something like:

tcpdump -i eth0 tcp port 80 or 443

Should give you just the HTTP traffic (on the standard ports).

If you want to narrow it down to certain IPs/networks add them to the filter as well:

tcpdump -i eth0 '(tcp port 80 or 443) and net 123.123.123.123/24'