pdumpq ====== Pdumpq takes packets over the netlink device which have been sent by Netfilter's QUEUE target and dumps them in Pcap format. This format is compatible with various packet sniffers such as tcpdump, snort and ethereal. Features include automatic dumpfile rotation, firewall mark filtering and user-defined packet verdicts. If it is compiled with email support, you can have packet dumps sent via email. You can also send the pcap data stream to standard output for reading by another program. You need to compile your kernel with netlink support and QUEUE target support. Your firewall rule set needs to specify which packets to send to the netlink socket. BUILD INSTRUCTIONS: You need Netfilter/Iptables and libipq (which comes with netfilter). Edit Makefile make make install /* You must be root to install */ The Makefile: You can set some program defaults in the Makefile. It is well commented, so the options should be pretty clear. You can choose to disable compilation of the email alert option if you know you will never use it. Even if you build it in, it will not send email unless you tell it to. There are some email- specific options like timer and queue size that you can set. The other options relate to automatic file rotation and packet verdicts. These options can also be set on the command line when you run the program. There is a Sys-V init script that has been contributed by Hal Burgiss. You will need to create the symlinks needed to make the program run if you want it to start automatically. Under Red Hat this can be done using chkconfig. If you did not install the netfilter development libraries (libipq) you will need to tell the makefile where to find them. You can also specify the install directory and mandir. If your system kernel includes do not point to 2.4.X includes you will need to tell the makefile where to find them. make: This software should build on any system which supports netfilter. make install: This will install the program and documentation. USAGE: Read the man page - pdumpq(8) BUGS/PROBLEMS: Please see the file BUGS