# iptables -J NFLOG and tcpdump - much gnashing of teeth!

## MrUlterior

Out of curiosity I've been trying to log particular traffic on my LAN, so I've setup some iptables that include:

```

...

iptables -A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -j NFLOG --nflog-group 2

iptables -A FORWARD -p tcp -d 192.168.XXX.XXX -j NFLOG --nflog-group 2

iptables -A FORWARD -p udp -d 192.168.XXX.XXX -j NFLOG --nflog-group 2

...

iptables -A INPUT -p all -i wlan0 -j NFLOG --nflog-group 1

```

They work, when I fire up wireshark & point it at the NFLOG interface I can see all the interesting traffic logged.

But when I run:

```

tcpdump -i nflog:1 -w /home/nflog-1-${DUMP_LOG_DATE}.log

tcpdump -i nflog:2 -w /home/nflog-2-${DUMP_LOG_DATE}.log

```

I get:

```
tcpdump: WARNING: SIOCGIFADDR: nflog:1: No such device

tcpdump: /home/nflog-0-20130912-230157.log: No such file or directory

tcpdump: WARNING: SIOCGIFADDR: nflog:2: No such device

tcpdump: /home/nflog-1-20130912-230157.log: No such file or directory
```

What gives? I notice that wireshark runs dumpcap like this:

```
dumpcap -n -i nflog -y NFLOG -U zone
```

So I tried a similar thing with tcpdump:

```

# tcpdump -i nflog -w /home/blah.log

tcpdump: Can't listen on group group index: Operation not permitted

```

tcpdump relies on libpcap (built with netlink support) and iptables itself seems to be built correctly:

```

# for M in iptables libpcap netfilter tcpdump; do eix -I $M; done

[I] net-firewall/iptables

     Available versions:  1.4.6 1.4.10 ~1.4.10-r1 1.4.11.1-r2 ~1.4.12 1.4.12.1 ~1.4.12.1-r1 1.4.13 ~1.4.13-r2 ~1.4.14-r1 ~1.4.15-r1 ~1.4.16.2 1.4.16.3 ~1.4.17 {ipv6 netlink static-libs}

     Installed versions:  1.4.16.3(22:19:59 09/12/13)(ipv6 netlink -static-libs)

     Homepage:            http://www.iptables.org/

     Description:         Linux kernel (2.4+) firewall, NAT and packet mangling tools

[I] net-libs/libpcap

     Available versions:  1.1.1-r1 1.3.0-r1 {bluetooth canusb ipv6 netlink static-libs}

     Installed versions:  1.3.0-r1(22:17:11 09/12/13)(ipv6 netlink -bluetooth -canusb -static-libs)

     Homepage:            http://www.tcpdump.org/

     Description:         A system-independent library for user-level network packet capture

[I] net-libs/libnetfilter_conntrack

     Available versions:  1.0.0 ~1.0.1 1.0.2 {static-libs}

     Installed versions:  1.0.2(00:33:22 02/23/13)(-static-libs)

     Homepage:            http://www.netfilter.org/projects/libnetfilter_conntrack/

     Description:         programming interface (API) to the in-kernel connection tracking state table

[I] net-analyzer/tcpdump

     Available versions:  3.9.8 3.9.8-r1 ~4.1.1 ~4.2.0 ~4.2.1 4.3.0 {(+)chroot ipv6 (-)samba smi ssl suid test}

     Installed versions:  4.3.0(22:19:22 09/12/13)(chroot ipv6 ssl -samba -smi -suid -test)

     Homepage:            http://www.tcpdump.org/

     Description:         A Tool for network monitoring and data acquisition

```

Heeeeelp!   :Embarassed: 

----------

## derzol

What gives? I notice that wireshark runs dumpcap like this:

```
dumpcap -n -i nflog -y NFLOG -U zone
```

Perhaps:

```
dumpcap -i nflog:1 -w /home/nflog-1.pcap
```

----------

