Please correct my understanding. The libpcap/pcap-netfilter-linux.c file is about capturing NFLOG packets from the netlink socket, i.e. ones that came from netfilter's --log target.
On the other hand, we have: /* * Link-layer header type for the netlink protocol (nlmon devices). */ #define LINKTYPE_NETLINK 253 which suggests that I can capture all netlink messages (which is what I want to do) into a pcap file. I'm unclear if our tcpdump forces printer might know how to decode those netlink messages (not in an IP/TCP enclosure); I suspect not? Ultimately, I want to capture netlink traffic on a machine that has upwards of 7000 interfaces (with 1000s coming/going as PPP links go up/down under testing), and determine why another daemon is crashing. http://lwn.net/Articles/556183/ seems to agree. Maybe that code isn't upstream yet, certainly not in stock debian yet. The discussion at: http://www.spinics.net/lists/netdev/msg243327.html + modprobe nlmon + ip link add type nlmon + ip link set nlmon0 up + tcpdump -i nlmon0 .... + ip link set nlmon0 down + ip link del dev nlmon0 + rmmod nlmon suggests that it all just works... I will report when I know what kernel I need to make this work, and I guess we should have a web page on doing this, and what is going on. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
