Let's say I have a policy file, such as

fw         net    ACCEPT
net        fw     DROP

trusted    fw     ACCEPT
trusted    net    ACCEPT

untrusted  fw     DROP*
untrusted  net    ACCEPT

all        all    REJECT

What I'd like to do is send all the traffic from the untrusted network that is destined to the firewall (marked with a *) to a packet capture utility like tcpdump or tshark for analysis.

It seems like the QUEUE or NFQUEUE actions might do the trick, or I could use actions... But I've not played with either of those components of shorewall, so I'm not sure the way forward with them.

Tom Ritter
  • 3,147
  • 5
  • 25
  • 30

2 Answers2


I don't know how to handle with shorewall but you can add rules manually to capture traffic originated from "untrusted" via NFLOG & wireshark. here is howto link.


you need to change "-m owner --uid-owner 1000" part with your rule to point "untrusted" sources.

  • 1,564
  • 9
  • 16

From risyasin's answer I was able to figure this out.

First, put the log destination in shorewall as NFLOG(x) (instead of info, or warn). x is an integer between 1 and 32 for the netlink group.

Now, capture the packets using tcpdump or dumpcap, and capture on the nflog:x interface. Write the packets to a pcap.

The pcap will be malformed - I'm not sure why, but the packets will come in with some ASCII log info, and other fields I have not decoded. But it's relatively easy to parse and filter the pcap and correct it.

import dpkt
r = dpkt.pcap.Reader(open(infile,'r'))
w = dpkt.pcap.Writer(open(outfile,'wb'))
for ts, pkt in r:
    e = dpkt.ethernet.Ethernet()
    e.data = dpkt.ip.IP(pkt[124:])
    w.writepkt(e, ts)
Tom Ritter
  • 3,147
  • 5
  • 25
  • 30