I had to verify, that a programme on a remote server is communicating through proxy only, while there were lots of other services on the server running (and communicating over the network). While I could watch proxy's (squid) logs, setup firewall to log access to and from certain hosts or use iftop. In my case these had various down-sides (e.g. iftop is more to track amount of traffic and I had to check that even the smallest packet wont bypass mine http proxy - even if you can pass filters mentioned below to iftop as well - see -f
option). I have chosen tcpdump, and this post is to save exact command I have used:
tcpdump -i any "tcp and host not proxy.example.com and host not my-workstation.example.com and not ( dst localhost and src localhost ) and not ( dst $( hostname ) and src $( hostname ) )"
tcp
says that I'm interested in TCP traffic onlyhost not proxy.example.com
instructs tcpdump to ignore (should not log) any traffic to/from my proxy serverhost not my-workstation.example.com
asks tcpdump to ignore traffic to/from my workstation as I'm connected via ssh from there (it could be hardened to only ignore ssh traffic - port 22, but this is good enough for me)not ( dst localhost and src localhost )
ignore traffic going from localhost to localhost (some other services on the system are talking to each other and I'm not interested in it)not ( dst $( hostname ) and src $( hostname ) )
same as above, but some services are using my external IP for their internal discussions and again, I do not need to know about that
This way tcpdump only logs communication from/to parts of external world I'm interested about.
No comments:
Post a Comment