0

We are tracking http usage(mainly for our intranet) and I've been able to track it using the the following on our OPENWRT router:

tcpdump -i wlan1 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' | grep 'GET\|Host' >> /mnt/jlt/wlan1

This only outputs the Host and Request.

I can't figure out how to get the requesting IP, however.

For example if a system 192.168.1.5 is requesting our internal site I can only see the site requested and the path but not the requesting IP(192.168.1.5).

Is there a way to also show the IP that is requesting through tcpdump, I know this not really its design but is there another way if not possible through this?

For reference the TCP dump (without the grep) is similar to as follows:

17:09:15.637887 IP (router).10199 > (dataSource).80: Flags [P.], seq 2206:2687, ack 33836, win 68, length 481
E..     ..@....d...g..$.'..P.C. '3.jP..D....GET (Path) HTTP/1.1
Host: (requestDomain)
Connection: keep-alive
User-Agent: (user-agent)
Accept:(file data)
Referer: (referer)
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: (cookie)
Jeff
  • 685
  • 7
  • 17
  • 1
    Is there any reason you are not using web server logs for this information? – Tero Kilkanen Jun 25 '18 at 18:00
  • @TeroKilkanen Yeah, we are as well. Much of the traffic we want to watch is some old, unmanaged servers all using http instead of https. We need to see who is still using the old server. We are unable to modify this server as it is an old system with a closed architecture. – Jeff Jun 25 '18 at 18:48

1 Answers1

0

The source IP of the packet is the first IP address after IP in the TCPDump output.

If it shows some other IP than the HTTP client IP address, then there is something in the middle, like a reverse proxy that creates another TCP connection from that box to the server. There could be also some weird NAT setup which replaces the source IP address on packets flowing through.

If it is a reverse proxy, then you can study the logs of it to see what client IPs access it.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Hmm The IP on my OpenWRT device is always shown after the IP field. Not the requesting system. – Jeff Jun 25 '18 at 20:05
  • Then it either means that the OpenWRT router itself is making the requests or that it is a reverse proxy that proxies the requests from outside to the web server. – Tero Kilkanen Jun 26 '18 at 06:36