You are here

Tracing network traffic using tcpdump and tshark

Affects product: 
Airlock WAF
Affects version(s): 
7.3 and newer

It is often useful to record network traffic on one of the interfaces attached to Airlock Gateway. This may be to analyze whether packets sent from external systems are reaching the Gateway, to check network connectivity, routing or firewall settings. To record such traffic on Airlock Gateway the common Linux tool tcpdump can be used. Traces recorded with tcpdump are compatible with other monitoring tools and analyzers like Wireshark. Alternatively, you can use TShark, the command line version of Wireshark, directly.

How to use tcpdump

The most important thing to know when recording network traffic are the names of the used network interfaces. There is a management interface, a back-end interface and one or more external interfaces. The management and back-end interface can be found in the menu "System Setup" - "Nodes" in the Airlock Configuration Center. The external interface can be found by selecting the corresponding virtual host in the menu "Application Firewall" - "Reverse Proxy". Typical names used for interfaces are eth0, eth1, vmnet1, etc. The names depend on the interface card type used. The number of the interface may vary depending on the network setup.

To get a list of available interface on the command line, use the following command:

# tcpdump -D​​​​

To record everything received and transmitted on the interface eth1 and print ASCII content, use following command:

# tcpdump -i ens224 -A

To restrict the traced traffic to (dst) and from (src) a certain IP address, use the following command:

# tcpdump -i ens224 host

To restrict the traced traffic further to a certain port, use the following command:

# tcpdump -i ens224 host and port 80

To trace everything except SSH traffic, use the following command:

# tcpdump -i ens224 not port 22

To write traffic to a file for further analysis in another tool, use the following command:

# tcpdump -i ens224 -w /tmp/backend.pcap

To reduce the recorded traffic, combine filter expressions while writing the traffic to a file:

# tcpdump -i ens224 port 443 -w /tmp/backend.pcap

How to use TShark

TShark is the command line version of Wireshark. It works similarly to tcpdump but is capable of parsing hundreds of protocols directly. It is therefore very useful for in-depth protocol analysis.

For example, the following command displays HTTP content directly on the command-line:

# tshark -i ens224 -x tcp port 80 -R http

Transfering captured data to your workstation

To copy the recorded data to another system for further analysis, use SCP or WinSCP from the target system, e.g.

# scp root@airlock:/tmp/backend.pcap .

Decrypt HTTPS traffic on Airlock Gateway

Airlock Gateway is able to log SSL/TLS session keys of front-end and back-end HTTPS connections. This allows to decipher the encrypted traffic.

Setup SSL Session Key Logging

To activate SSL session key logging the appropriate expert setting has to be enabled. Either globally for front-end or back-end traffic or specifically per virtual-host or back-end group.

To enable front-end key logging to /var/log/airlock/ext-apache/ssl/keys.log, the following directive has to be added to the Apache Expert Settings either globally or in the Virtual Host:

# Writes front-end SSL keys to
# file /var/log/airlock/ext-apache/ssl/keys.log
AirlockSSLKeyLogEnable On

To enable back-end key logging to /var/log/airlock/gatekeeper/ssl/keys.log, the following directive has to be added to the Security Gate Expert Settings:

Enable per Back-end Group or globally:

# Writes back-end SSL keys for this back-end group to
# file /var/log/airlock/gatekeeper/ssl/keys.log
BackendSSLKeyLog.Enable "TRUE"

As soon as the configuration is activated the SSL Session Keys will be logged to the appropriate files.

Traffic recording

To record the encrypted traffic the same tcpdump or tshark commands may be used as described above. For most encrypted traffic the initial handshake must be included in the captured traffic in order to be decrypted. Also connections reusing older SSL sessions may not be decrypted, since the key may not be written to the log file. SSL session-reuse can be prevented by clearing the SSL session cache of the client or server after TShark is started. For front-end connections, this can be done by restarting the client/browser. For back-end connections this can be done by reloading the airlock-gatekeeper service. On Airlock Gateway this is accomplished with the following command:

# systemctl reload airlock-gatekeeper

Traffic deciphering using wireshark

To decipher traffic using wireshark, first copy the recorded (still encrypted) traffic to your workstation using scp or Winscp:

# scp root@airlock:/tmp/frontend.pcap .

Also copy the SSL key log file(s):

# scp root@airlock:/var/log/airlock/ext-apache/ssl/keys.log .

Start wireshark and configure the SSL key log file in "Edit" -  "Preferences" - "Protocols" - "TLS" - "(Pre)-Master-Secret log filename". Then open the pcap file containing the encrypted traffic. You should see the decrypted HTTP traffic now.

Knowledge Base Categories: