Jump to content
Sign in to follow this  
TimothyMDean

Monitoring local network traffic

Recommended Posts

I am trying to debug an application that connects to another application locally using a plain socket connection. A server app opens up a socket and listens on port 1024 (by default), and than a client application is supposed to connect to that port and send it some information. That connection is not happening, as far as I can tell.

 

I know there a variety of tools that allow me to monitor network traffic from a remote machine into my machine. However, I haven't seen anything that shows me when 2 local apps are trying to connect via localhost.

 

Does anyone know of a tool or method I can use to figure out what is going on here?

 

- Tim

Share this post


Link to post
Share on other sites

Well, you could always do a tcpdump in the terminal

For ethernet it would probably be

tcpdump -v -i en0

and for the wireless card

tcpdump -v -i en1

A word of warning; It aint pretty. The output will look something like this

Macintosh:~ kjes$ tcpdump -v -i en1
tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
16:01:56.708022 IP (tos 0x10, ttl 64, id 63565, offset 0, flags [DF], proto TCP (6), length 164) 10.0.1.30.ssh > 10.0.1.4.60648: P 931366934:931367046(112) ack 552970500 win 1253 <nop,nop,timestamp 813821 163848847>
16:01:56.708120 IP (tos 0x10, ttl 64, id 5076, offset 0, flags [DF], proto TCP (6), length 52) 10.0.1.4.60648 > 10.0.1.30.ssh: ., cksum 0x5233 (correct), ack 112 win 65535 <nop,nop,timestamp 163848857 813821>
16:01:57.660803 IP (tos 0x0, ttl 64, id 65157, offset 0, flags [none], proto UDP (17), length 67) 10.0.1.4.50229 > 10.0.1.1.domain: 57015+ PTR? 4.1.0.10.in-addr.arpa. (39)
16:01:57.665298 IP (tos 0x10, ttl 64, id 63566, offset 0, flags [DF], proto TCP (6), length 164) 10.0.1.30.ssh > 10.0.1.4.60648: P 112:224(112) ack 1 win 1253 <nop,nop,timestamp 814072 163848857>
16:01:57.665369 IP (tos 0x10, ttl 64, id 49321, offset 0, flags [DF], proto TCP (6), length 52) 10.0.1.4.60648 > 10.0.1.30.ssh: ., cksum 0x50be (correct), ack 224 win 65535 <nop,nop,timestamp 163848867 814072>
16:01:57.738751 IP (tos 0x0, ttl 64, id 5046, offset 0, flags [none], proto UDP (17), length 67) 10.0.1.1.domain > 10.0.1.4.50229: 57015 NXDomain* 0/0/0 (39)
16:01:57.740756 IP (tos 0x0, ttl 64, id 1945, offset 0, flags [none], proto UDP (17), length 68) 10.0.1.4.60663 > 10.0.1.1.domain: 26631+ PTR? 30.1.0.10.in-addr.arpa. (40)
16:01:57.744224 IP (tos 0x0, ttl 64, id 5052, offset 0, flags [none], proto UDP (17), length 68) 10.0.1.1.domain > 10.0.1.4.60663: 26631 NXDomain* 0/0/0 (40)

Share this post


Link to post
Share on other sites

My networking knowledge has faded in recent years, so correct me if I'm off on this. But I seem to remember that TCP connections between processes on the same machine don't actually go through the network interfaces en0 or en1. Don't they instead use a special loopback device as an optimization? If so, would the tcpdump command still work?

 

I'd check this out myself but I'm not at the computer where I have this test case set up..

 

Thanks for the response.

 

-Tim

 

 

Well, you could always do a tcpdump in the terminal

For ethernet it would probably be

tcpdump -v -i en0

and for the wireless card

tcpdump -v -i en1

 

<snip>

Share this post


Link to post
Share on other sites

Oh, right. I misunderstood you there.

Well, if you change to

tcpdump -v -i lo0

you'll get the tcpdump of loopback I believe. I'm no programmer, but I'd think it depends on the programming. If it's set to use loopback or go to the router and back in again, then it would go in and out on the same interface.

Share this post


Link to post
Share on other sites

When I try to run tcpdump, I get an error:

tcpdump: (no devices found) /dev/bpf0: Permission denied

 

I tried this in an account that has administrative rights on the machine, but that doesn't help. tried it with both en0 and lo0 interfaces, and still the same.

 

Do you know what I need to do to get tcpdump working for me?

 

Thanks,

 

-Tim

 

 

 

Oh, right. I misunderstood you there.

Well, if you change to

tcpdump -v -i lo0

you'll get the tcpdump of loopback I believe. I'm no programmer, but I'd think it depends on the programming. If it's set to use loopback or go to the router and back in again, then it would go in and out on the same interface.

Share this post


Link to post
Share on other sites

Did you try sudo-ing it?

Share this post


Link to post
Share on other sites
Did you try sudo-ing it?

 

I assume by this you mean a plain "sudo ..." command without a specific "-u user" - In other words doing a sudo as root?

 

No I haven't tried this yet. The Mac where this is happening doesn't currently have root access enabled. When I try to su and enter my normal admin password it doesn't work. I believe that I need to enable root access before sudo will work. Correct me if I'm wrong on that: I always find it hard to keep track of how sudo and the sudoers file is set up by default.

 

It's been a while since I've had to root-enable any of my Macs. I'll have to dig out my notes on how to do that. Or can someone give me a link that tells me how to do that?

 

Thanks,

 

-Tim

Edited by TimothyMDean

Share this post


Link to post
Share on other sites

You don't need to have root enabled for sudo to work, your account just needs to have admin privileges in System Preferences > Accounts.

Edited by ithonicfury

Share this post


Link to post
Share on other sites
You don't need to have root enabled for sudo to work, your account just needs to have admin privileges in System Preferences > Accounts.

 

OK - It looks like I can sudo but not in the way I thought I could. I use a non-admin account for my day-to-day operations, and I thought that I could go into the terminal and "su admin" to switch the terminal session to the admin account. Once acting as admin I had tried to sudo, but that didn't work. It does appear, however, that if I switch users via Mac's fast user switching feature, and open a terminal from my admin user that way, sudo will work.

 

I'm not sure what is the difference seen by the terminal when I use fast user switching vs. using su to become my admin user directly in the terminal. There does appear to be a difference though, so I'll try out tcpdump this other way to see if it works for me.

 

Thanks,

 

-Tim

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing

    No registered users viewing this page.

  • Who's Online (See full list)

    There are no registered users currently online

×