Package: ulogd2 Version: 2.0.8-1 Severity: normal Today - for the first time in probably 15+ years - I wanted to capture the actual packets dropped within netfilter in a pcap file. The method I developed during my netfilter days 20 year ago for this is the PCAP output plugin of ulogd.
To my knowledge it's the only method which allows you to capture the actual binary packet violating your iptables or nftables policy for later analysis in wireshark or other pcap related tools. However, I was surprised to see that the ulogd2 package both in Debian stable as well as unstable doesn't contain the PCAP output plugin. Is that a conscious decision? I would think it's a rather useful feature to have. Also, the example config file contains PCAP related sections, making this even more confusing. So you uncomment parts of the example config that gets installed (stack=log2:NFLOG,base1:BASE,pcap1:PCAP) and then it fails due to not finding the PCAP plugin with either with Apr 03 19:02:11 lakshmi1 ulogd[3579]: can't find requested plugin PCAP (in the plugin auto-load case , or with Apr 03 19:02:38 lakshmi1 ulogd[3607]: load_plugin: '/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so': /usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so: cannot open shared object file: No such file or directory (in the case one explicitly wants to load the plugin via the commented-out line from the sample config file. Given that building the pcap plugin is enabled by default, I guess it must be explicitly disabled with --disable-pcap in the debian package, so I guess it's a conscious decision and not an accident? Thanks for looking into this. -- System Information: Debian Release: 12.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-7-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ulogd2 depends on: ii adduser 3.132 ii init-system-helpers 1.65.2 ii libc6 2.36-8 ii libmnl0 1.0.4-3 ii libnetfilter-acct1 1.0.3-3 ii libnetfilter-conntrack3 1.0.9-3 ii libnetfilter-log1 1.0.2-3 ii libnfnetlink0 1.0.2-2 ii lsb-base 11.6 ii sysvinit-utils [lsb-base] 3.06-3 ulogd2 recommends no packages. Versions of packages ulogd2 suggests: pn ulogd2-dbi <none> pn ulogd2-json <none> pn ulogd2-mysql <none> pn ulogd2-pcap <none> pn ulogd2-pgsql <none> pn ulogd2-sqlite3 <none> -- Configuration Files: /etc/ulogd.conf [Errno 13] Permission denied: '/etc/ulogd.conf' -- no debconf information
