Router – logging HTTP traffic with tcpdump on a router

httploggingroutertcpdump

I have a linux box acting as a router between many clients and the internet, and i need to pull some statistics on usage: I need to log which internal IPs access which addresses externally.

I use this to check which internal IPs access which external IPs:

tcpdump -n -i any port 80 or port 443 and src net 192.168.101.0/24

(I use -n and do the lookups later)

However, this also shows me a lot of extras relating to TCP handshaking and windowing. Is it possible to only show the actual HTTP request?

I have found a few approaches, most of which involve grepping for GET\|POST, butthat strips away the IPs, which is primarily what i care about.

Edit:

I do not have the luxury of using anything else than tcp + standard linux and bash commands (hence why i'm limited to tcpdump and grep/strings/awk/sed
Would including the filter tcp[13] & 2!=0' help, as i understand that would only show the initial SYN?

Best Answer

If you are just limited to native tools Id think youd have perl available. Perhaps you could use this perl script. called chaosreader

otherwise you could capture the traffic and parse it with the perl script on another system

Related Solutions

Monitoring HTTP traffic using tcpdump

tcpdump prints complete packets. "Garbage" you see are actually TCP package headers.

you can certainly massage the output with i.e. a perl script, but why not use tshark, the textual version of wireshark instead?

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

it takes the same arguments as tcpdump (same library) but since its an analyzer it can do deep packet inspection so you can refine your filters even more, i.e.

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'

Centos – PPTP traffic logging

I have no experience with pptpd, but I do have pptp running on a CentOS machine which acts as a client connecting outward to a DrayTek router.

So, I would imagine, that for each connected user, there will be a corresponding ppp network interface created on the server to service that user. You could setup some iptables rules which log all packets from these ppp interfaces. The the final thing you have to correlate (log) from pptpd is the times when specific users were assigned particular IP addresses. This would then allow you to log the traffic and link it to the corresponding VPN user (even easier if you force VPN users to be assigned a static IP).

You would need to make sure you apply the logging rules in each direction, on the FORWARD chain most likely (to record traffic destined to other hosts on the VPN network, that is routed by the VPN server). Add INPUT and OUTPUT chains if you want to include logging for the server itself (the + denotes all ppp interfaces):

iptables -A FORWARD -i ppp+ -j LOG
iptables -A FORWARD -o ppp+ -j LOG

And obviously, you can tailor the above iptables rules to be more protocol specific, if you are wishing to monitor particular types of traffic.

Using tcpdump to capture PCAPs on a per interface basis would prove a nightmare to implement. You would need to invent some radical way of having a tcpdump process fork and die for each ppp interface that is created and deleted, as users log in and log off. I cannot think of a nice way to do that, and it seems a bit of an overkill anyway to be trying to log the packet contents across each session. Better to have further security measures on the devices they may possibly be connecting to on the private network itself.

Best Answer

Related Solutions

Monitoring HTTP traffic using tcpdump

Centos – PPTP traffic logging

Related Topic