-1

I'm developing a product and at a certain point I need to get domain names used to access some service on a specific port. Let's suppose I've a computers network with Internet access through a Linux gateway. I'm interested in port 6208 as an example (it could be any port).

When someone within this network connects to [domain name]:6208 I want an application I'll develop get [domain name] at gateway.

When connect to eg.example.com:6208, application must get eg.example.com.

What can I do at the gateway to get this behavior? Is there some way to do it using existent tools? What I'm asking for isn't how to develop the referred application, but how/where can I get this data (domain name). Given that gateway runs a Linux distribution, it must have someway to do that.

So, have somebody a hint?

Tiago.SR
  • 101
  • 3
  • `I want to get "eg.example.com" recorded` Recorded where ? Please clarify... – krisFR Aug 03 '14 at 00:32
  • Actually I want an application I'll develop get these domain names and record them into a database, this must occur in real time. When connect to eg.example.com:6208, eg.example.com must be immediately recorded by referred application. – Tiago.SR Aug 03 '14 at 00:38
  • How is served `eg.example.com:6208` ? is this a web server (which one) ? What serve this ? – krisFR Aug 03 '14 at 00:42
  • `eg.example.com:6208` is just an example, but it could be any service running over TCP on port 6208. – Tiago.SR Aug 03 '14 at 00:53
  • This is interresting ! Please update your initial question with details you provide in comments, to improve it. You already have a "close" flag for "unclear what you are asking"... – krisFR Aug 03 '14 at 01:00
  • 1
    To get the domain name on the gateway, you'll need to use reverse DNS. However, this often won't return the same name that the client used, because of virtual servers. Since the gateway just sees the IP packets, and they only have the address in them, it's not possible to determine which of many names was used. – Barmar Aug 03 '14 at 10:23
  • Right, and it's not ever the name in reverse DNS is the same as in A records. I've already thought in reverse DNS but there is this issue. – Tiago.SR Aug 03 '14 at 21:51
  • You could sniff DNS queries too and try matching them with the IP addresses you're seeing. – Cristian Ciupitu Aug 04 '14 at 23:59

2 Answers2

1

Based on your responses to @user2629636 - ie traffic sniffing is not detected, the probable answer is "you can't". TCP has no knowledge of the domain name associated with an IP address.

Depending on what you are trying to do you may be able to assign a unique IP address (possibly an RFC1918 address) to each domain name, and then use IPTables to trigger the script. In reality,IPTables can't do this by itself, so its a matter of writing a log and then using something like "Fail2Ban" to act on the logged entry as a trigger. Messy.

Alternatively, look at using Knockd to trigger a script when you connnect to a port. This means each IP needs a distinct port to work on - probably on the router itself, so probably also a dead end.

davidgo
  • 6,222
  • 3
  • 23
  • 41
0

You would probably like to use either tcpdump or wireshark on your gateway. With wireshark, you will get more details.

If the traffic is actually http type of traffic, you may want something like this:

tshark -d tcp.port==6208,http

After you get whatever field from the packet, you should be able to pipe it into a mysql insert statement etc.

user2629636
  • 774
  • 5
  • 19
  • 40
  • The product I'm developing aims to be used in high traffic networks. Traffic sniffing makes network performance to drop drastically. Futhermore I need application get domain name as soon as connection to port 6208 is detected. – Tiago.SR Aug 03 '14 at 02:56
  • You can mirror the traffic to another machine to do packet sniffing so that the other one (gateway) is not affected at all. – user2629636 Aug 03 '14 at 02:59
  • 1
    Mirroring increases CPU usage and restricts equipments to those which can do it. And I cant make clients to have two machines just to run my product, competing products requires only one. – Tiago.SR Aug 03 '14 at 03:28
  • Mirroring "on a network device" before the linux gateway has "0" effect on the CPU for the gateway, almost any decent switch can do that. Just pop up a very basic Linux machine and that's all you need. You need packet analysis to do what you want. – user2629636 Aug 03 '14 at 12:38
  • I can't force my clients to have a switch able to do port mirroring. Although competing products works a different way, they requires only one machine connected, nothing more. There must have another way of getting the domain names... – Tiago.SR Aug 03 '14 at 21:54