net-mon

tcpdump’in, pcap’in, dnstap

dig into http headers

sudo tcpdump -A -s 0 -ni vethac55d08 'tcp dst port 8081 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# mkdir /data
nohup tcpdump --no-promiscuous-mode -Ani ens2 -w /data/$(date -u '+%Y%m%d-%H%M%S').pcap 'host 10... and port (33002 || 33003)' &



tcpdump --immediate-mode --packet-buffered \
    --time-stamp-type={host|adapter|adapter_unsynced} \
    --time-stamp-precision={micro|nano} \
    -w /tmp/tcpdump-vector

mkfifo /tmp/t2v.pcap.sock

tcpdump --immediate-mode --packet-buffered \
    --time-stamp-type=host --time-stamp-precision=micro \
    -c 3 --no-promiscuous-mode -ni eth0 -w /tmp/t2v.pcap.sock

tail -f /tmp/t2v-1.pcap | tcpdump --time-stamp-precision=nano -r -

dnstap

https://jpmens.net/2017/09/11/dns-query-response-logging-with-dnstap/

http://dnstap.info/slides/dnstap_vldss2014.pdf

Build with dnstap support:

./configure --enable-dnstap
make && make install

Execute the dnstap receiver with nsd user:

su - nsd -s /bin/bash -c "dnstap_receiver -u "/var/run/nsd/dnstap.sock""

https://dmachard.github.io/posts/0001-dnstap-testing/#nlnetlabs---nsd

See also: