Dumping rawdata for a host on a proxy using tcpdump

PROXYtcpdump

Im trying to save the rawdata that is beeing sent throu our proxy to a specific url. A friend of mine gave me the tip to use tcpdump, so I started reading about it on their page. But for some reason I fail to use it.

I tried 'tcpdump -c10 host my.very.specific.host.com' But I don't get any matches. And yes =) I can see that there is some kind of action from the client in the server.log.

If I use 'tcpdump -c10' I get 10 rows instantly. So I guess I miss understood the concept of 'host'?

I cannot point it towards a IP since the its a webserver that handles way to many different urls.

This is really not my domain(programmer) so, please excuse my simple question 🙂
Thanks in advance.

EDIT 1

Thanks for all the help, and yes.. I should have stated my question more clearly. So here is some 'more' information. What I want to do is to capture the data going from our proxy to a cellphone.

The reason I'm doing this is to make sure that we send exactly what we want before it goes out into the 'mobile operator gateway/proxy wildness' (Yes they tend to modify things more then they should ;))

The information that I'm interested in is the http protocol.

So what I will do now is that I will try to dump the information that goes between our proxy and the mobile operator gateway on the 'public' NIC. Luckily for me the mobile operator only got one public gateway.

Over and out!

Best Answer

You may have a problem with different interfaces. By default tcpdump only listens on the first ethernet interface it finds. If you add "-i any" it will listen on every interface.

As someone has mentioned already, you will end up capturing all the traffic to a particular ip address, regardless of the dns name you want. You can reduce the amount of data you capture by restricting the filter further. You could add a port and specify a particular remote host or network.

# tcpdump host 12.34.56.78 and port 80 and net 78.65.43.21/24

You may find that tcpflow is more useful to you. It will dump each side of a TCP connection into a separate file. You can either use it with the same filter you'd use with tcpdump, or you can load a pcap file in. To save a pcap file, run:

# tcpdump -s 0 -w /tmp/dump.pcap -i any host 12.34.56.78 and port 80

Related Solutions

Monitoring HTTP traffic using tcpdump

tcpdump prints complete packets. "Garbage" you see are actually TCP package headers.

you can certainly massage the output with i.e. a perl script, but why not use tshark, the textual version of wireshark instead?

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

it takes the same arguments as tcpdump (same library) but since its an analyzer it can do deep packet inspection so you can refine your filters even more, i.e.

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'

How to Set a Static Route for an External IP Address

What you are attempting to do is entirely possible and indeed is a quite often used technique. You also have got most of the setup right already. What you might be missing is an "ACCEPT" rule at "new router" allowing traffic flows from eth1 to eth1. Just add it using

iptables -I FORWARD -i eth1 -o eth1 -s 129.2.2.0/25 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth1 -d 129.2.2.0/25 -j ACCEPT

It should be sufficiently safe not to circumvent any of the rules and security measures in place and yet be generic enough to allow any of your network's clients and protocols. Once you've done setting up and troubleshooting, you could restrict the rule to the protocols and destinations you are going to use:

iptables -I FORWARD -i eth1 -o eth1 -s 129.2.2.0/25 -d 192.111.222.111 -p icmp -j ACCEPT
iptables -I FORWARD -i eth1 -o eth1 -d 129.2.2.0/25 -s 192.111.222.111 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -i eth1 -o eth1 -s 129.2.2.0/25 -d 192.111.222.111 -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth1 -d 129.2.2.0/25 -s 192.111.222.111 -p tcp --sport 8080 ! --syn -j ACCEPT

Note that in the typical case, you hardly would see any traffic flow through the "new router" for 192.111.222.111. Linux happily would issue ICMP redirect messages informing your subnet's hosts to use "old router" for traffic to 192.111.222.111 at the first packet occurrence. And most hosts would follow (assuming they got the message - i.e. it has not been filtered anywhere) and send all subsequent packets to 192.111.222.111 directly via "old router".

EDIT 1

Best Answer

Related Solutions

Monitoring HTTP traffic using tcpdump

How to Set a Static Route for an External IP Address

Related Topic