The Lurker

Watching network traffic with tcpdump and tcpflow

Recently on BELTS we needed to find the source of corruption in the base64 streams we need to decode. (To cut a long story short: it wasn't me. Hooray!) I was already familiar with tcpdump and ngrep, but what I wanted was to log an entire HTTP request and an entire response in separate files. This is quite easy to do with tcpflow.

1. Start recording incoming and outgoing packets: tcpdump -s 0 -w naughty.tcpdump -i eth0 src or dst naughtyserver.example.com
2. Send a request or twenty to naughtyserver.example.com
3. Stop tcpdump
4. Split the tcpdump output into files for each connection: tcpflow -r naughty.tcpdump

This produces a pair of files W.X.Y.Z.PPPPP-A.B.C.D.00080 and A.B.C.D.00080-W.X.Y.Z.PPPPP containing the request and response respectively for each a TCP connection.

There's only a small obstacle to allow for — when you are performing multiple HTTP request and keep-alives are supported by both server and client, more than one request and response can be sent in the lifetime of a single TCP connection. This means that you get two requests concatenated in the request file, and their two respective responses in the other file. If you're feeling uneasy about this you can run tcpdump -r naughty.tcpdump -x -X, but this is harder to read (since it also dumps includes the TCP and IP headers).

Related topics: Linux Web