gateway

How to capture all network traffic of a single process 1

 in GNU/Linux  tagged forward / gateway / ip link / ip netns / isolated network / NAT / network namespace / strace / VXLAN / wireshark by

Method A: Using strace

If the process is not started yet, you can start it as a new process and monitor it using the following


strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;

If the process is already started and you know its PID you can use the following


strace -f -e trace=network -s 10000 -p <PID>;

strace is a very helpful utility that can be used to trace system calls and signals.

Parameters Legend:

  • -f Instructs strace to trace all child processes as they are created by the currently traced processes as a result of the fork, vfork and clone system calls.
    Note that -p PID -f will attach all threads of process PID if it is multi-threaded, not only thread with id PID.
  • -e trace=%network strace will trace all the network related system calls only if used alone.
  • -s strsize Specifies the maximum string size to print (the default is 32). Note that filenames are not considered strings and are always printed in full.
  • -p PID Attaches strace to the process with the process ID PID and starts tracing. The trace may be terminated at any time by a keyboard interrupt signal (CTRL-C). strace will respond by detaching itself from the traced process(es) leaving it (them) to continue running. Multiple -p options can be used to attach to many processes in addition to command (which is optional if at least one -p option is given). -p "`pidof APPLICATION`" syntax is supported.

In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
strace is a useful diagnostic, instructional, and debugging tool. System administrators, diagnosticians and trouble-shooters will find it invaluable for solving problems with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. Students, hackers and the overly-curious will find that a great deal can be learned about a system and its system calls by tracing even ordinary programs. And programmers will find that since system calls and signals are events that happen at the user/kernel inter‐ face, a close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race conditions.

From: man strace

Method B: Using an isolated network namespace and Wireshark

Please note that this method might not work for all kernels.
It was tested on Fedora 25 (64 bit) with success.

Create the test network namespace

A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.
With the following command we will create a network namespace called test.


sudo ip netns add test;

ip netns add NAME Creates a new named network namespace.
If NAME is available in /var/run/netns/ this command creates a new network namespace and assigns to it then name NAME.

Create two virtual network interfaces (veth0 and veth1) for our Virtual eXtended LAN (VXLAN)

The following command will create veth0 and veth1 virtual network interfaces.


sudo ip link add veth0 type veth peer name veth1;

ip link add with no link argument specified to a physical device to operate on, it adds a VXLAN virtual link.
Note: veth1 will act as a gateway later on.

Change the active namespace of the veth0 interface

With the following command, we move veth0 to our test network namespace.


sudo ip link set veth0 netns test;

Some devices are not allowed to change network namespace: loopback, bridge, ppp, wireless. These are network namespace local devices. In such case ip tool will return Invalid argument error. It is possible to find out if device is local to a single network namespace by checking netns-local flag in the output of the ethtool:
ethtool -k DEVICE;
To change network namespace for wireless devices the iw tool can be used. But it allows to change network namespace only for physical devices and by process PID.
From man ip-link

Configure the IP addresses of the virtual interfaces


#Set the IP of veth0 to 192.168.10.1 and veth0 to 192.168.10.254
sudo ip netns exec test ifconfig veth0 up 192.168.10.1 netmask 255.255.255.0;
sudo ifconfig veth1 up 192.168.10.254 netmask 255.255.255.0;

Configure the routing in the test namespace

The following command will set the default gateway for veth0 to be the IP 192.168.10.254 which is the address we gave veth1 in the previous step.


sudo ip netns exec test route add default gw 192.168.10.254 dev veth0;

Then we make sure ip_forward is active by issuing the following command


sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward';

Then, we establish a NAT rule to forward all the traffic of test network namespace to a physical device


sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o <PHYSICAL DEVICE e.g. eth0> -j SNAT --to-source <PHYSICAL DEVICE IP>;

Actually using the isolated network namespace

Add root to the list of users that is allowed to start an X application


xhost +si:localuser:root;

Start wireshark in your test network namespace


sudo ip netns exec test wireshark &

In wireshark start monitoring the data on the device veth0.

Finally, start the application you wish to monitor its network traffic


sudo ip netns exec test firefox;

How to set a static IP Address from the Command Line in GNU/Linux using ip addr and ip route

 in GNU/Linux  tagged gateway / IP / ip addr / ip route / mask / netmask / route / static / subnet by

Assuming you want to make the following changes to the network device eth0

  1. Change the IP to the static value 192.168.1.2
  2. Set the Subnet Mask to 255.255.255.0
  3. Set the Default Gateway for the device to be 192.168.1.1

and you want to avoid using ifconfig and route that are obsolete you can perform these changes using the following two commands


sudo ip addr add 192.168.1.2/24 dev eth0;
sudo ip route add default via 192.168.1.1 dev eth0;

Please note that the netmask is given in CIDR notation (it is the /24 right after the IP of the device in the ip addr command).

A subnet mask (netmask) is a bitmask that encodes the prefix length in quad-dotted notation: 32 bits, starting with a number of 1 bits equal to the prefix length, ending with 0 bits, and encoded in four-part dotted-decimal format: 255.255.255.0. A subnet mask encodes the same information as a prefix length, but predates the advent of CIDR. In CIDR notation, the prefix bits are always contiguous, whereas subnet masks may specify non-contiguous bits.

From Wikipedia: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

How to set a static IP Address from the Command Line in GNU/Linux using ifconfig and route 5

 in GNU/Linux  tagged gateway / ifconfig / IP / mask / netmask / route / static / subnet by

Assuming you want to make the following changes to the network device eth0

  1. Change the IP to the static value 192.168.1.2
  2. Set the Subnet Mask to 255.255.255.0
  3. Set the Default Gateway for the device to be 192.168.1.1

you can perform these changes using the following two commands


sudo ifconfig eth0 192.168.1.2 netmask 255.255.255.0;
sudo route add default gw 192.168.1.1 eth0;

ifconfig

ifconfig is an application that allows you to configure a network interface.
It is used to configure the kernel-resident network interfaces. and it is used at boot time to set up interfaces as necessary. After that, it is usually only needed when debugging or when system tuning is needed.
If no arguments are given, ifconfig displays the status of the currently active interfaces. If a single interface argument is given, it displays the status of the given interface only; if a single -a argument is given, it displays the status of all interfaces, even those that are down. Otherwise, it configures an interface.

route

route is an application that allows you to show and manipulate the IP routing table. The primary use of route is to set up static routes to specific hosts or networks via an interface after it has been configured with the ifconfig program.
When the add or del options are used, route modifies the routing tables. Without these options, route displays the current contents of the routing tables.