Read traffic inline as a bridge
boozelclark opened this issue · 4 comments
Is there any way to use epcap "inline" where it can capture traffic transparently on a bridge? Or would i need to create a separate interface to NF_QUEUE?
Thanks,
Is this a hardware bridge or a virtual bridge like openvswitch? Usually it is possible to sniff the bridge interfaces directly similar to tcpdump: tcpdump -i br0 ...
It would be a software bridge using the OS. I would like to try and create a firewall using erlang pattern matching which would involve not just reading the traffic but also deciding to accept/drop/reject it. The more i think about it the only way i see this working is to write an erlang port for netfilter_queue.
Ok. pcap is intended more for packet capture and injection although it would be possible to make an out of band "firewall" with it that, for example, watches traffic and resets connections.
An interface to netfilter should work fine. Another approach is to use tuntap devices.
Here is an example of a firewall using a tap device:
https://github.com/msantos/sut/blob/master/src/sut_fw.erl
And a simple example of a making switch:
https://gist.github.com/msantos/7231332
Thanks very much!