# ulogd and packet capture[ SOLVED]

## upengan78

Hello,

So, I unmasked newest ulogd in the excitement of using it for some packet capturing and that capture written into /var/log/ulog.pcap but currently it's not working for me. 

```
[I] app-admin/ulogd

     Available versions:  1.23-r1 ~1.24-r2 (~)2.0.0_beta4 {{doc mysql pcap postgres sqlite}}

     Installed versions:  2.0.0_beta4(11:14:16 AM 12/04/2012)(pcap -doc -mysql -postgres)

     Homepage:            http://netfilter.org/projects/ulogd/index.html

     Description:         A userspace logging daemon for netfilter/iptables related logging
```

/etc/ulogd.conf

```

[global]

logfile="/var/log/ulogd.log"

loglevel=1

plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"

plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"

plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"

plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"

plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"

plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"

plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"

plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so"

plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so"

plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so"

plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"

plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so"

plugin="/usr/lib64/ulogd/ulogd_output_OPRINT.so"

plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so"

plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so"

plugin="/usr/lib64/ulogd/ulogd_output_DBI.so"

plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU

stack=ct1:NFCT,op1:OPRINT

stack=log2:NFLOG,base1:BASE,pcap1:PCAP

stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL

stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL

stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL

stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT

[ct1]

[ct2]

hash_enable=0

[log1]

group=0

[log2]

group=1 # Group has to be different from the one use in log1

[log3]

group=2 # Group has to be different from the one use in log1/log2

numeric_label=1 # you can label the log info based on the packet verdict

[ulog1]

nlgroup=1

[emu1]

file="/var/log/iptables.log"

sync=1

[op1]

file="/var/log/ulogd_oprint.log"

sync=1

[xml1]

directory="/var/log/"

sync=1

[pcap1]

file="/var/log/ulogd.pcap"

sync=1

[mysql1]

db="nulog"

host="localhost"

user="nupik"

table="ulog"

pass="changeme"

procedure="INSERT_PACKET_FULL"

[mysql2]

db="nulog"

host="localhost"

user="nupik"

table="ulog"

pass="changeme"

procedure="INSERT_CT"

[pgsql1]

db="nulog"

host="localhost"

user="nupik"

table="ulog"

pass="changeme"

procedure="INSERT_PACKET_FULL"

[pgsql2]

db="nulog"

host="localhost"

user="nupik"

table="ulog2_ct"

pass="changeme"

procedure="INSERT_CT"

[pgsql3]

db="nulog"

host="localhost"

user="nupik"

table="ulog2_ct"

pass="changeme"

procedure="INSERT_OR_REPLACE_CT"

[dbi1]

db="ulog2"

dbtype="pgsql"

host="localhost"

user="ulog2"

table="ulog"

pass="ulog2"

procedure="INSERT_PACKET_FULL"

[sys2]

facility=LOG_LOCAL2

[nacct1]

sync = 1

[mark1]

mark = 1

```

/var/log/ulogd.log http://pastebin.ca/2289402

iptables -L -nv  | grep LOG <--just to show that there are chains/rules configured to use ULOG

```

 8719 2152K LOGNDROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 15/min burst 5 LOG flags 0 level 4 prefix "BADFLAGS: "

    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ULOG copy_range 0 nlgroup 1 queue_threshold 1

Chain LOGNDROP (1 references)

  458  113K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 15/min burst 5 LOG flags 0 level 4 prefix "DENIED: "

    0     0 ULOG       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:9999 ULOG copy_range 0 nlgroup 1 queue_threshold 1

    0     0 ULOG       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 ULOG copy_range 0 nlgroup 1 queue_threshold 1

    0     0 ULOG       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 ULOG copy_range 0 nlgroup 1 queue_threshold 1

```

Can someone please help to get pcap working with ulogd?Last edited by upengan78 on Tue Dec 04, 2012 10:55 pm; edited 1 time in total

----------

## upengan78

Update:

I noted in the ulogd.conf file for PCAP, the stack line states that it is using NFLOG not ULOG.

```
stack=log2:NFLOG,base1:BASE,pcap1:PCAP
```

So, I added below to my iptables after making sure I have CONFIG_NETFILTER_XT_TARGET_NFLOG=m in .config and modules compiled/installed.

```

iptables -L -nv | grep NFLOG

    0     0 NFLOG      all  --  *      *       0.0.0.0/0            0.0.0.0/0            nflog-group 1 nflog-range 100

    6   360 NFLOG      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:9999 nflog-group 1 nflog-range 100

    0     0 NFLOG      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 nflog-group 1 nflog-range 100

    0     0 NFLOG      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443 nflog-group 1 nflog-range 100

```

tail -f /var/log/ulogd.pcap | tcpdump -r - -qtnp 

```
reading from file -, link-type RAW (Raw IP)

IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0

IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0

IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0

IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0

IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0

IP 1.2.3.226.44398 > 1.2.3.196.23: tcp 0
```

telnet from another machine to my machine and I see /var/log/ulogd.pcap is getting written fine now. Those 6 packets for dpts:1:9999 appeared as a result of those. 

Sorry for not posting my full iptables rules. I know the grep doesn't really help iptables chains/rules with multiple chains but part that matters is what pasted here.

Thanks.

----------

