In Perl/C implementing an SSH connection (using port forwarding). How do one actually check what is going on inside the SSH tunnel? For example: ssh -L 5902:localhost:10003 <remotehost>

I want to basically check whether there is traffic between this connection.

thanks
Aaron

the following procedure may be helpful to you....

Hi there,

I am basically trying to check if there is a vncviewer connecting to a vncserver through SSH.

I was playing around with netstat for a bit and found a very interesting behaviour when vncviewer is connecting to a vncserver through an SSH tunnel.

Basically i setup port forwarding: SSH -L 10001:localhost:5900 <remote-host>
Then. with the command: netstat -t | grep <remote-host>, i realise:

1.) When RECV-Q is = 0, it means there is no user activity -> When RECV-Q == 0 it means that there is no activity within SSH
2.) When RECV-Q is > 0, it means there is user activity
3.) When SEND-Q is = 0 or > 1504, it means SSH connection is active and host is alive.
4.) When SEND-Q is = 1504, it means SSH connection is active, but host is dead.

Do you think this result will hold? I am just doing this through general testing of behaviour, do you think this approach would be better than using wireshark? I am trying to refrain from using external packages and instead rely on built in tools.

Thanks
aaron
http://aarontwc.blogspot.com

what is the concept of 1504 here? I didn't get......!!!

use tcpdump.

Hi,

1504 is basically a fixed amount of byte that netstat sends to 'test'.

Anyhow, I am indeed playing with tcpdump right this moment. but it is not really returning me anything.

I tried tcpdump -i eth0 tcp port 5902

Also.. actually i was thinking.. maybe the best way to do it is really to check tcp traffic of the program than the port.

Is there any program that I can use to track tcp traffic of a process ID?

THANKS!!!!
Aaron

use the netstat with -p option. you will get the process id too.