SOLVED Re: [CLUE-Tech] turning on verbose logging for iptables?

[David Anselmi]

Dave Price wrote:
> 
> If tcpdump is not running, is the NIC in promiscuous mode?  Does it
> actually run as a service all the time?  Not sure how else I would see
> what traffic was hitting the box otherwise. The traffic on the interface
> is thru an ethernet switch, so i could not really snif that any other
> way, could I? 

No, the NIC should not be in promiscuous mode.  But while tcpdump is 
running the firewall may be less secure.  And if your firewall gets 
hacked, the bad guys have tcpdump handy to run on you.  The risk is very 
small, I think, but I've heard sillier things.

There are sniffers that work with switches.  They 'poison' the switches 
arp cache so that all packets goes through them first.  I don't know how 
well they work, probably less reliably than what you did.  I'm looking 
for a small hub to use as a "tap" for this sort of thing.

> Also tried "tcpdump -l -i any" and caught a session setup and shut down -
> This did not work well _at_all_well_ while I was ssh'd into the
> firewall and starting tcpdump from that window!, but when I went to
> the basement and set up the tcpdump from the console, the results
> were nearly identical in educational content.

Probably you were sniffing your ssh connection.  So you type something 
and packets get sent, which tcpdump records and displays back to you 
(which sends packets, which tcpdump records...)  See the problem?

It's nice to see someone solve a problem this way.  I've heard about 
network problems before (from professsionals, no less) and when I ask 
what the sniffer shows their eyes glaze over.

Dave