Viewing Internet requests and responses

charlest · 07-18-2006, 06:37 PM

In RedHat Linux 9, I've configured Firewall to High.

What command should I be using in order to view the Internet requests and responses on the machine?

gilead · 07-18-2006, 08:25 PM

That's not dependent on your firewall settings (unless your firewall is configured to log requests on port 80, 443, 8080, etc. If you have a web server running, you can use a text editor to look through the access and error logs for Apache.

You could use netstat to see the TCP connections, or iptstate to view the iptables connections table. Or, you can use a packet sniffer (ethereal, tcpdump) to monitor the traffic on the web ports as they happen. This will generate a lot of data though - what was it you needed to do?

charlest · 07-18-2006, 08:32 PM

Quote:

Originally Posted by gilead

That's not dependent on your firewall settings (unless your firewall is configured to log requests on port 80, 443, 8080, etc. If you have a web server running, you can use a text editor to look through the access and error logs for Apache.

You could use netstat to see the TCP connections, or iptstate to view the iptables connections table. Or, you can use a packet sniffer (ethereal, tcpdump) to monitor the traffic on the web ports as they happen. This will generate a lot of data though - what was it you needed to do?

Simply, I would like to be able to view the current web addresses requested from the machine.

gilead · 07-18-2006, 09:59 PM

A typical line from an Apache log file looks like this:

Code:

10.225.49.21 - - [13/Jul/2006:11:29:13 +1000] "GET /bugzilla/editparams.cgi HTTP/1.1" 200 56338 "http://some.server.com/bugzilla/index.cgi" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"

The fields are (see http://httpd.apache.org/docs/2.0/logs.html for more detail):
- IP address of the requestor;
- Identity returned by identd (not populated unless IdentityCheck is set to On);
- userid of the document requestor as determined by HTTP authentication;
- The time that the request was received;
- The request line from the client is given in double quotes;
- The status code that the server sent back to the client;
- The size of the object returned to the client, not including the response headers;
- The "Referer" (sic) HTTP request header;
- The User-Agent HTTP request header.

You can view this raw data with the tail command (alter it for your site):

Code:

 tail -f /var/log/httpd/access.log

Or you can use a log-file analyser (Google will return plenty of hits) such as awstats.

charlest · 07-18-2006, 11:57 PM

Hi Steve

Sorry for the confusion, actually, I'm not running Apache web server.

However, I would like to find out the web addresses my machine is attempting to goto.

Charles

gilead · 07-19-2006, 01:30 AM

No problem - I use ethereal from http://www.ethereal.com/ for packet sniffing. You could start it with a filter for ports 80, 443 (encrypted), 3128 (Squid proxy) and 8080 (Tomcat) for example and it will capture all of the packets going to/from those ports.

There are rpms available for ethereal, have you used it before?

charlest · 07-19-2006, 06:46 PM

I've just ran the rpm for "ethereal", the outputs are listed below. Would the listed version be enough for packet sniffing port 80?
/////////////////////////////
$ rpm -qa | grep ethereal
ethereal-0.10.3-0.90.1
/////////////////////////////

gilead · 07-19-2006, 07:11 PM

It should be - I run it here with:

Code:

sudo ethereal

Once it's running go to the Capture menu and select Options. Select the network interface (probably eth0) and set a capture filter (e.g. port 80 or port 3128). I set the Update List of Packets in Real Time option as well as all three of the Name Resolution options. Click Start, open your web browser and start browsing.

Once you have packets captured and displayed on ethereal's main screen, right-click on a packet and select Follow TCP Stream. You should get an ASCII listing of the traffic.