Created
November 21, 2019 18:09
-
-
Save vincent-zurczak/207516332d4bbaca5fde521a75ead60b to your computer and use it in GitHub Desktop.
A short reminder about how to use TCPmon to capture traffic
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Assuming we have an Elastic Search cluster secured by Nginx. | |
| ################# | |
| # On the server. | |
| ################# | |
| # Capture HTTP traffic to Nginx (listening on port 9200). | |
| # Output the result in a PCAP file, readable with Wireshark. | |
| tcpdump -A -i eth0 -s 0 \ | |
| 'tcp port 9200 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \ | |
| -w /tmp/capture-to-nginx.pcap | |
| # Capture HTTP traffic to ES (listening on port 9201), on the local network interface. | |
| # Output the result in a PCAP file, readable with Wireshark. | |
| tcpdump -A -i lo -s 0 \ | |
| 'tcp port 9201 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \ | |
| -w /tmp/capture-to-es.pcap | |
| # Execute the requests. | |
| ################# | |
| # Locally. | |
| ################# | |
| # Retrieve the results from the local machine | |
| scp -p user@ip:/tmp/capture-to-nginx.pcap /tmp/capture-to-nginx.pcap | |
| scp -p user@ip:/tmp/capture-to-es.pcap /tmp/capture-to-es.pcap |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment