How to monitor packets from a remote interface in real time

Posted by admin on January 24, 2007

I was trying to debug a connection to the internet that should be controlled by tc, the tool linux uses to do traffic shaping. The scenario is this:

  • All outbound traffic through one interface using a specific IP port should not block the rest of the traffic.
  • Some other ports and protocols are given priority (ie: interactive traffic using ssh)

But it was failing. tc is quite complicated to get it properly working. For testing purposes, we were using a combination of wireshark (or ethereal), netcat and iptraf to see how the bandwidth was used. My boss showed me a way to get all this working together which is quite handy. I hope he doesn’t mind at all if I share it with you :-).Imagine we have 3 computers:

  • hostA: our personal computer
  • hostB: where we are doing traffic shaping
  • hostC: a test computer where we are going to send data so we can test everything.

right, imagine we want to control port 3000 on hostB. For that purpose, we will set up a netcat instance listening on hostC on such port:

golan@hostC:~$ nc -l -p 3000

So we can now send data to such port using netcat as well:

golan@hostB:~$ cat /dev/urandom | nc hostC 3000

This way we can send data and test the connection.

Capturing traffic on hostC

We can use wireshark on hostC in a tricky way to see what’s going on. So, we use something like this:

golan@hostA:~$ rm capture; mkfifo capture;

golan@hostA:~$ ssh root@hostC tcpdump -s 0 -U -n -w - -i eth0 tcp port 3000 > capture

We create a FIFO named capture and we capture traffic on hostC, on port 3000 and write it to the standard output which in fact is redirected to the FIFO we have just created.

Wireshark

So now, we launch wireshark, and configure it to capture data from the FIFO we created as the interface file:

If we now click on statistics->IO Graph we can get a nice traffic graph

which can help us to debug the application

IPTraf

Alternately we can use iptraf, where we can have a window like this one:

Measuring bandwidth consumption

Now, you can test the connection by sending data using netcat as seen above.

I guess there are many more ways to do this, but found this one to be nice. Just drop a comment if you think there are nicer ways to do this :-)

Trackbacks

Trackbacks are closed.

Comments

Leave a response

  1. tripu Mon, 29 Jan 2007 15:56:55 UTC

    I think I got half of it.

    Kinda.

  2. Jesus Mon, 29 Jan 2007 18:44:28 UTC

    Half of it?

  3. bri Tue, 03 Jul 2007 13:43:47 UTC

    > wireshark -k -i

  4. amitesh Fri, 04 Apr 2008 21:08:51 UTC

    its really nice conceptually. I will be needing your help in future.

  5. amitesh Fri, 04 Apr 2008 21:15:07 UTC

    golan@hostC:~$ nc -l -p 3000
    hostA: our personal computer, * hostC: a test computer where we are going to send data so we can test everything.

    does it mean that i am working on A and hosting C for writing through port 3000. if yes then how we have logged in to that comp i.e. B.

  6. amitesh Sun, 06 Apr 2008 05:40:33 UTC

    kindly tell me what does it mean as a whole.
    ssh root@hostC tcpdump -s 0 -U -n -w - -i eth0 tcp port 3000 > capture”"

  7. admin Sun, 06 Apr 2008 13:20:32 UTC

    does it mean that i am working on A and hosting C for writing through port 3000. if yes then how we have logged in to that comp i.e. B.

    Er, using SSH?

    kindly tell me what does it mean as a whole.
    ssh root@hostC tcpdump -s 0 -U -n -w - -i eth0 tcp port 3000 > captureā€”

    It means, ssh into hostC using ssh to capture with tcpdump all packets no matter how big the are, no address resolution, write to standard output, and make it packet-buffered (write each packet to stdout), capture on eth0 and port 3000 and redirect stdout to the “capture” FIFO on hostA, from which we will read from using wireshark. For more information, man tcpdump.

Comments