Description of nflog
nflog is a wrapper around libnetfilter_log for Ruby.
For example, you can receive captured packets for the NFLOG group 1:
require 'nflog'
Netfilter::Log.create(1) do |packet|
link, data = packet.data
puts "Timestamp: #{packet.}"
puts "Prefix: #{packet.prefix}"
puts "UID: #{packet.uid}"
puts "GID: #{packet.gid}"
puts "Interface: #{packet.indev_name}"
puts "Physical interface: #{packet.phys_indev_name}"
puts "Ethernet: #{link.unpack("H*")[0]}"
puts "Payload: #{data.unpack("H*")[0]}"
end
Setting up iptables
This example rule can be used for sniffing incoming UDP traffic:
iptables -A INPUT -p udp -j NFLOG --nflog-group 1
Setting up ebtables
You will need ebtables for sniffing at layer 2. Here is an example for capturing incomping ARP frames:
ebtables -t nat -A PREROUTING -p arp --nflog-group 1 -j ACCEPT
Dependencies
You need to have kernel support for NFLOG and libnetfilter_log installed to get it working. nflog depends on nfnetlink and ffi (https://github.com/ffi/ffi/wiki/)
Contact
Guillaume Delugré, guillaume at security-labs dot org