Network traffic tracing using tcpdump and TShark/Wireshark

It can be useful to record network traffic on network interfaces attached to Airlock Gateway.

  • This may be to analyze:
  • Whether packets sent from external systems are reaching the gateway.
  • To check network connectivity and quality issues like packet loss etc.
  • To check routing or firewall settings.

To record network traffic on Airlock Gateway the common Linux tool tcpdump can be used. Traces recorded with tcpdump are compatible with other monitoring tools and analyzers like Wireshark. Alternatively, you can use also use TShark, the command-line version of Wireshark.

How to use tcpdump

The most important thing to know when recording network traffic is the names of the used network interfaces. There is a management interface, a back-end interface, and one or more external interfaces.

  • In the Airlock Gateway Configuration Center:
  • The management and back-end interface can be found in the menu System Setup >> Nodes.
  • The external interface can be found by selecting the corresponding virtual host in the menu Application Firewall >> Reverse Proxy.

Typical names used for interfaces are eth0, eth1, vmnet1, etc. The names depend on the interface card type used. The number of interfaces may vary depending on the network setup.

To record everything received and transmitted on the interface eth1 and print ASCII content, use the following command:

tcpdump -i ens224 -A

To restrict the traced traffic to a certain IP address, use the following command:

tcpdump -i ens224 host

To restrict the traced traffic further to a certain port, use the following command:

tcpdump -i ens224 host and port 80

To trace everything except SSH traffic, use the following command:

tcpdump -i ens224 not port 22

To write traffic to a file for further analysis in another tool, use the following command:

tcpdump -i ens224 -w /tmp/backend.pcap

To reduce the recorded traffic, combine filter expressions while writing the traffic to a file:

tcpdump -i ens224 -w /tmp/backend.pcap port 443

How to use TShark

TShark is the command-line version of Wireshark, the widely-used network protocol analyzer. It works similarly to tcpdump but is capable of parsing hundreds of protocols directly. It is therefore very useful for in-depth protocol analysis.

For example, the following command displays HTTP content directly on the command line:

tshark -i ens33 -x -Y 'tcp.port==80 && http'

Secure data transfer to your workstation using SCP

The SCP protocol is a file transfer network protocol, which supports encryption and authentication features. It can be used to transfer computer files securely from a local host to a remote host. It works on the Secure Shell (SSH) protocol technique.

To copy the recorded data to another system for further analysis, use SCP or WinSCP from the target system, e.g.:

scp root@airlock:/tmp/backend.pcap .

Decrypt HTTPS traffic on Airlock Gateway

Airlock Gateway is able to log SSL/TLS session keys of front-end and back-end HTTPS connections when enabled in the expert settings. This allows deciphering the encrypted traffic.

  1. Setup SSL Session Key Logging:
    • Paths to keys.log files:
    • Front-end logging is written to /var/log/airlock/ext-apache/ssl/keys.log.
    • Back-end logging is written to /var/log/airlock/gatekeeper/ssl/keys.log.
  2. For front-end keylogging add the following directive to the Apache Expert Settings either globally or in the virtual host:
  3. copy
    # Writes front-end SSL keys to 
    # file /var/log/airlock/ext-apache/ssl/keys.log 
    AirlockSSLKeyLogEnable On

  4. For back-end keylogging, add the following directive has to be added to the Security Gate Expert Settings either globally or for a single back-end group:
  5. copy
    # Writes back-end SSL keys for back-end group(s) to 
    # file /var/log/airlock/gatekeeper/ssl/keys.log 
    BackendSSLKeyLog.Enable "TRUE"
  6. As soon as the configuration is activated the SSL session keys will be logged to the appropriate files.

Traffic recording with tcpdump or TShark

To record the encrypted traffic the tcpdump or TShark commands from above may be used.

  • For most encrypted traffic the initial handshake must be included in the captured traffic in order to be decrypted:
  • Connections that reuse older SSL sessions may not be decrypted, since the key may not be written to the log file.
  • SSL session reuse can be prevented by clearing the SSL session cache of the client or server after TShark is started:
    • For front-end connections, this can be done by restarting the client/browser.
    • For back-end connections, this can be done by reloading the airlock-gatekeeper service. On Airlock Gateway this is accomplished with the following command:
    • copy
      systemctl reload airlock-gatekeeper

Traffic deciphering using Wireshark

  1. Use scp or a similar secure copy tool to transfer the recorded traffic and the keyfiles to your workstation.
  2. Start Wireshark and configure the SSL/TLS key log file. Go to:
    Edit >> Preferences
  3. In the preferences popup menu, go to:
    Protocols >> TLS >> (Pre)-Master-Secret log filename
  4. Open the pcap file with the encrypted traffic.
  5. WireShark now displays the decrypted HTTP traffic.
  6. Analyze the traffic as required.