Tracing network traffic using tcpdump and tshark

It is often useful to record network traffic on one of the interfaces attached to Airlock Gateway. This may be to analyze whether packets sent from external systems are reaching the Gateway, to check network connectivity, routing or firewall settings. To record such traffic on Airlock Gateway the common Linux tool tcpdump can be used. Traces recorded with tcpdump are compatible with other monitoring tools and analyzers like Wireshark. Alternatively, you can use TShark, the command line version of Wireshark, directly.

How to use tcpdump

The most important thing to know when recording network traffic are the names of the used network interfaces. There is a management interface, a back-end interface and one or more external interfaces. The management and back-end interface can be found in the menu "System Setup" - "Nodes" in the Airlock Configuration Center. The external interface can be found by selecting the corresponding virtual host in the menu "Application Firewall" - "Reverse Proxy". Typical names used for interfaces are eth0, eth1, vmnet1, etc. The names depend on the interface card type used. The number of the interface may vary depending on the network setup.

To get a list of available interface on the command line, use the following command:

To record everything received and transmitted on the interface eth1 and print ASCII content, use following command:

To restrict the traced traffic to (dst) and from (src) a certain IP address, use the following command:

To restrict the traced traffic further to a certain port, use the following command:

To trace everything except SSH traffic, use the following command:

To write traffic to a file for further analysis in another tool, use the following command:

To reduce the recorded traffic, combine filter expressions while writing the traffic to a file:

How to use TShark

TShark is the command line version of Wireshark. It works similarly to tcpdump but is capable of parsing hundreds of protocols directly. It is therefore very useful for in-depth protocol analysis.

For example, the following command displays HTTP content directly on the command-line:

Transfering captured data to your workstation

To copy the recorded data to another system for further analysis, use SCP or WinSCP from the target system, e.g.

Decrypt HTTPS traffic on Airlock Gateway

Airlock Gateway is able to log SSL/TLS session keys of front-end and back-end HTTPS connections. This allows to decipher the encrypted traffic.

Setup SSL Session Key Logging

To activate SSL session key logging the appropriate expert setting has to be enabled. Either globally for front-end or back-end traffic or specifically per virtual-host or back-end group.

To enable front-end key logging to /var/log/airlock/ext-apache/ssl/keys.log, the following directive has to be added to the Apache Expert Settings either globally or in the Virtual Host:

To enable back-end key logging to /var/log/airlock/gatekeeper/ssl/keys.log, the following directive has to be added to the Security Gate Expert Settings:

Enable per Back-end Group or globally:

As soon as the configuration is activated the SSL Session Keys will be logged to the appropriate files.

Traffic recording

To record the encrypted traffic the same tcpdump or tshark commands may be used as described above. For most encrypted traffic the initial handshake must be included in the captured traffic in order to be decrypted. Also connections reusing older SSL sessions may not be decrypted, since the key may not be written to the log file. SSL session-reuse can be prevented by clearing the SSL session cache of the client or server after TShark is started. For front-end connections, this can be done by restarting the client/browser. For back-end connections this can be done by reloading the airlock-gatekeeper service. On Airlock Gateway this is accomplished with the following command:

Traffic deciphering using wireshark

To decipher traffic using wireshark, first copy the recorded (still encrypted) traffic to your workstation using scp or Winscp:

Also copy the SSL key log file(s):

Start wireshark and configure the SSL key log file in "Edit" -  "Preferences" - "Protocols" - "SSL" - "(Pre)-Master-Secret log filename". Then open the pcap file containing the encrypted traffic. You should see the decrypted HTTP traffic now.