OPENSHIFT TCPDUMP

# OPENSHIFT TCPDUMP ## OPENSHIFT DEBUG TCPDUMP ``` # NAME=<pod-name> # NAMESPACE=<pod-namespace> # pod_id=$(chroot /host crictl pods --namespace ${NAMESPACE} --name ${NAME} -q) # pid=$(chroot /host bash -c "runc state $pod_id | jq .pid") # nsenter_parameters="-n -t $pid" 1-) HAZIRLIK oc get pods -o wide ile tcpdump almak istedigimiz pod'un node adini, adini ve namespace'ini ogreniriz. node adi: mynode-XXX pod adi: centos-5d78b88cf7-qjn8v namespace: aydemir-minio 2-) TCPDUMP BASLAT ## POD'un calistigi NODE ismini gir oc debug node/mynode-XXX ## asagidaki komutlari runtime gelen podun shell'inde girilir enter shell> > chroot /host sh> crictl pods --namespace aydemir-minio --name centos-5d78b88cf7-qjn8v -q 1592f7d60223b6add2274c6f93863dac4dffcd78141795110d73b8e94c5cddee sh> runc state 1592f7d60223b6add2274c6f93863dac4dffcd78141795110d73b8e94c5cddee | jq .pid 4134851 sh> nsenter_parameters="-n -t 4134851" sh> export http_proxy=http://192.168.1.1:8080 sh> export https_proxy=http://192.168.1.1:8080 sh> /usr/bin/toolbox sh>yum install tcpdump -y sh> nsenter $nsenter_parameters -- tcpdump -nn -i any -w /tmp/${HOSTNAME}_$(date +\%d_%m_%Y-%H_%M_%S-%Z).pcap 3-) TCPDUMP sonlandır Ctrl-C tcpdump'ı sonlandır ## TCPDUMP dosyasını kendi server'ına kopyala, scp yoksa yukleriz 4-) scp /tmp/*.pcap MYUSER@MYIP:/tmp/. 5-) tcpdump ile ac http isteklerine bakmak icin tcpdump -qns 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x3C21444F' -r myfile.pcap | more 6-) tcpdump -ns 0 -S -A -vv -r myfile.pcap | more ``` pcap wireshark formatlı dosyayı linux sunucuda arayüz olmadan görmek icin ubuntu ailesinde tshark redhat ailesinde wireshark-cli paketlerini kurarız. ``` yum install wireshark-cli -y tshark -r test.pcap -V -x | more ``` ### TCPDUMP HTTP REQUEST ``` nsenter $nsenter_parameters -- tcpdump -i any -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x3C21444F' -w /tmp/${HOSTNAME}_$(date +\%d_%m_%Y-%H_%M_%S-%Z).pcap ``` ### TCPDUMP RESPONSES AND REQUESTS ``` vi readtcpdump.sh for stream in `tshark -r "myfile.pcap" -2 -R "tcp and (http.request or http.response)" -T fields -e tcp.stream | sort -n | uniq` do echo "==========BEGIN REQUEST==========" tshark -q -r "myfile.pcap" -z follow,tcp,ascii,$stream echo "==========END REQUEST==========" read -p "enter to continue" clear done :wq! chmod +x readtcpdump.sh ./readtcpdump.sh ``` ## NOT ``` # asagidaki parametrelerle 100M'lik 50 dosyayaya kadar tcpdump aliriz. Eger tek bir dosya 100M olsun istersek -C 100 -W 1 yapabiliriz. -C 100 -W 50 # eger sadece -C kullanırsak size doldugunda dosya adına suffix vererek yeni dosya olustururur. ```