Not Really a Blog

January 24, 2007

How to monitor packets from a remote interface in real time

Filed under: Computers, Linux — jesus @ 13:42

I was trying to debug a connection to the internet that should be controlled by tc, the tool linux uses to do traffic shaping. The scenario is this:

  • All outbound traffic through one interface using a specific IP port should not block the rest of the traffic.
  • Some other ports and protocols are given priority (ie: interactive traffic using ssh)

But it was failing. tc is quite complicated to get it properly working. For testing purposes, we were using a combination of wireshark (or ethereal), netcat and iptraf to see how the bandwidth was used. My boss showed me a way to get all this working together which is quite handy. I hope he doesn’t mind at all if I share it with you :-).Imagine we have 3 computers:

  • hostA: our personal computer
  • hostB: where we are doing traffic shaping
  • hostC: a test computer where we are going to send data so we can test everything.

right, imagine we want to control port 3000 on hostB. For that purpose, we will set up a netcat instance listening on hostC on such port:

golan@hostC:~$ nc -l -p 3000

So we can now send data to such port using netcat as well:

golan@hostB:~$ cat /dev/urandom | nc hostC 3000

This way we can send data and test the connection.

Capturing traffic on hostC

We can use wireshark on hostC in a tricky way to see what’s going on. So, we use something like this:

golan@hostA:~$ rm capture; mkfifo capture;

golan@hostA:~$ ssh root@hostC tcpdump -s 0 -U -n -w - -i eth0 tcp port 3000 > capture

We create a FIFO named capture and we capture traffic on hostC, on port 3000 and write it to the standard output which in fact is redirected to the FIFO we have just created.

Wireshark

So now, we launch wireshark, and configure it to capture data from the FIFO we created as the interface file:

If we now click on statistics->IO Graph we can get a nice traffic graph

which can help us to debug the application

IPTraf

Alternately we can use iptraf, where we can have a window like this one:

Measuring bandwidth consumption

Now, you can test the connection by sending data using netcat as seen above.

I guess there are many more ways to do this, but found this one to be nice. Just drop a comment if you think there are nicer ways to do this :-)

About these ads

7 Comments »

  1. I think I got half of it.

    Kinda.

    Comment by tripu — January 29, 2007 @ 15:56

  2. Half of it?

    Comment by Jesus — January 29, 2007 @ 18:44

  3. > wireshark -k -i

    Comment by bri — July 3, 2007 @ 13:43

  4. its really nice conceptually. I will be needing your help in future.

    Comment by amitesh — April 4, 2008 @ 21:08

  5. golan@hostC:~$ nc -l -p 3000
    hostA: our personal computer, * hostC: a test computer where we are going to send data so we can test everything.

    does it mean that i am working on A and hosting C for writing through port 3000. if yes then how we have logged in to that comp i.e. B.

    Comment by amitesh — April 4, 2008 @ 21:15

  6. kindly tell me what does it mean as a whole.
    ssh root@hostC tcpdump -s 0 -U -n -w – -i eth0 tcp port 3000 > capture””

    Comment by amitesh — April 6, 2008 @ 05:40

  7. does it mean that i am working on A and hosting C for writing through port 3000. if yes then how we have logged in to that comp i.e. B.

    Er, using SSH?

    kindly tell me what does it mean as a whole.
    ssh root@hostC tcpdump -s 0 -U -n -w – -i eth0 tcp port 3000 > capture””

    It means, ssh into hostC using ssh to capture with tcpdump all packets no matter how big the are, no address resolution, write to standard output, and make it packet-buffered (write each packet to stdout), capture on eth0 and port 3000 and redirect stdout to the “capture” FIFO on hostA, from which we will read from using wireshark. For more information, man tcpdump.

    Comment by admin — April 6, 2008 @ 13:20


RSS feed for comments on this post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,876 other followers

%d bloggers like this: