August, 2011

Aug 11

Netcap TCP/IP sniffing (proxy)

I find myself lately doing a lot of raw TCP/IP stuff and had a need today to look at a protocol. I know there is Wireshark and similar utilities, but I needed to do something on a remote server, by creating a reverse proxy in order to learn the ins and outs of a custom protocol.

The below command creates a proxy and writes the protocol to files…

mknode /tmp/backpipe p

nc -l 61610 0</tmp/backpipe | \
tee -a /tmp/inflow | \
nc localhost 61611 | \
tee -a /tmp/outflow 1>/tmp/backpipe

In this case the server listens to port 61610 and then forwards the incoming packets to localhost:61611. You should modify the ports and forward host/port to what ever suits your need. Now, if you point the connection of any device to your server’s 61610 port, you can tail /tmp/inflow and /tmp/outflow to see the protocol communications, you can tail both together with…

tail -f /tmp/inflow /tmp/outflow

If you are on Mac OS X, in order to create a fifo file, you should replace the mknode command with…

mkfifo /tmp/backpipe