Archive for the tag 'traffic'

SBDavid

tcpdump - dump traffic on a network

tcpdump - dump traffic on a network

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.

Example:

root@u12:~# tcpdump -nnvvXS -c2 port 80

-n
Don’t convert host addresses to names. This can be used to avoid DNS lookups.

-nn
Don’t convert protocol and port numbers etc. to names either.

-vv
Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

-X
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.

-S
Print absolute, rather than relative, TCP sequence numbers.

tshark - Dump and analyze network traffic

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark’s native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet.

Example :

# tshark -n -i ppp0 port 80
Running as user “root” and group “root”. This could be dangerous.
Capturing on ppp0

-n Disable network object name resolution (such as hostname, TCP and UDP port names), the -N flag might override this one.

-i [capture interface]

Redirect all HTTP traffic through the proxy.

If you would like to redirect all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 10.0.0.1:3128

And

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128

Where eth1,eth0 are the LAN, WAN devices and 10.0.0.1 is the IP address of your LAN device.