Copying UDP traffic from a bound port - networking

I have two applications that both bind to the same port to receive UDP traffic. I am able to change the listen port of one of the programs but not the other. I need both to be able to see the traffic.
I have tried using socat for this but have been unable to figure out how to get it to send a copy of the traffic to a different port without interfering with the program bound to the original port.

A few tricks come to mind, but when you are not able to change both receiving ports or the target port of the sender, you will need to use iptables to modify the port of the incoming packets. On that port Socat with sniffing (option -r) to a pipe and another Socat instance could solve your problem.

Related

Wireshark not capturing any packets when I apply 'tcp port http' filter

I am using a mac and trying to capture packets live packets when I am loading up a website. I am connected over Wifi and am able to capture packets without those filters being used.
However when I enter in 'tcp port http' I am coming up empty handed.
Any suggestions to solve this?
When you use a port name in a capture filter expression, libpcap (the packet capture library that Wireshark uses) needs to convert the name into a number that it can use to match against bytes the captured packet. It does so by looking up the port name in /etc/services. (Specifically, it calls getaddrinfo, which usually looks up the port in /etc/services on macOS and Linux, and C:\system32\drivers\etc\services on Windows.) If I open /etc/services on my system here, "http" corresponds to port 80.
However, the modern web doesn't really use port 80 any more. Most web traffic these days is encrypted using HTTPS, and the IANA-assigned port for HTTPS is 443.
You might have better luck using "tcp port 443" or "tcp port 443 or tcp port 80" to make sure you capture both HTTP and HTTPS.
As far as I know, the filter has to be tcp.port == 80.
But if your Wireshark doesn't capture anything (without filter), you may check your installation and the wiki.

Verifying that a communication is happening over IPSec?

Is there a way one could test whether the communication between two hosts is happening over the IPSec protocol?
I have two different hosts running the OpenSource Peer2PeerVPN solution. And I have one host listening for messages via the net-cat tool.
nc -v -l -p 9999
And the other host connected to this via the VPN tunnel
nc -v 192.168.188.2 9999
I want to verify or check whether the communication is actually happening over the IPSec protocol. Also, I would like to see the values of the IPSec Protocol's Authentication and Encapsulation Headers.
I tried tcpdump but I'm guessing it only provides a capture on the layer above the Network level - Transport.
EDIT:
Based on a comment below I downloaded a sample pcap file to view how headers look in a IPSec communication. I see that these traces have ESP headers of the IPSec protocol.
However, when I try the same with the VPN Tool I'm using I don't see any packets with ESP header on the tcpdump. I was listening on the VPN interface (peervpn0) that the tool creates.
To check if this was a problem with the tool, I connected to a remote server to which I usually connect using VPN and sent some data via netcat to my machine from inside the remote-machine (I ssh'ed in). I listened for all packets on the VPN interface created by the Cisco VPN Tool (utun0) with filter esp
tcpdump -vvv -i utun0 esp
Still, I did not see any traces.
What am I missing here?
Should I listen on the default interface (my wifi interface) via which the VPN tunnel is created to see the ESP Headers?
Or have understood something wrong here?
Thank You
Shabir
With some further reading I was able to find out that PeerVPN does not communicate over IPSec but using encryption and sends the data as UDP payload over the underlying interface.
I also saw that many of the VPN tools indeed do this and does encrypt the tunnel interface packets and forwards them over UDP in the underlying interface. Besides some VPN solutions have a separate option to enable IPSec protocol specifically.
Thank You.

How can I control the source port of a TCP packet?

To test my implementation of a NAT, I want to send TCP packets from one internal host to two different external hosts, and make sure that the source port for both streams of packets that leave the NAT have the same source port. How can I control the source port? wget uses different source ports for separate TCP connections.
Maybe you want to try netcat with -p option, if you don't want to write code by yourself, example:
$ nc -p 31337 www.google.com 80
Here is the explanation for "-p" option from man page:
Specifies the source port nc should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the -l option.
Note though to use any port under 1024 requires root permission.
Bind the socket to a specific local port before you connect it.

When is port forwarding necessary?

I've been investigating networking for use in a two-player game I'm writing, and I'm still not clear on when a device must have a port forwarded in order to communicate with the outside world.
From what I've seen in other games, port forwarding is always required in order to host a server, but is not required on the client. In addition, there are other situations, such as skype (which, to my understanding is ultimately client to client), where neither end must forward a port.
So my question is, in over-the-Internet communication, when is and isn't port forwarding necessary, and what steps can i take as a developer to make it so my users don't have to worry about it? Thanks in advance!
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router. If the connection is initiated by the machine behind the firewall, the firewall/router automatically recognizes the reply traffic and sends it to the machine that opened the connection.
But if a packet arrives on the external interface, and it's not a part of such a connection, the router needs to know what to do with it. By default, it will reject it. But if forwarding is configured for the port, that tells it what internal machine to send it to.
Put another way: you need port forwarding if you want to run a server behind the NAT firewall/router, you don't need it if you're just running a client.
There is reason why Skype don't (not always) need manual setting of port forwarding:
When you install Skype, a port above 1024 is chosen at random as the
port for incoming connections. You can configure Skype to use a
different port for incoming connections if you wish, but if you do,
you must open the alternative port manually.
If the port chosen for incoming connections becomes unavailable, by
default ports 80 and 443 will be used as alternatives. If another
application (such as Apache HTTP server or IIS) uses these ports, you
can either configure the application to use other ports, or you can
configure Skype to not use these ports.
Port forwarding is must if you host a server.
You can use same technique as Skype...
I am not sure if there is any other option...
Port forwarding (occurs) when a NAT, firewall or some other device blocks communication on all or some ports.
To answer your question as an example, most commercial routers use NAT to allow multiple people to use the same IP(As view from the outside world) provided by ISPs. Most ISP's use NAT to allow multiple customers to use the same IP(As viewed from the outside world). To get this to work, the NAT changes the internal IP and the port number of a communication to THE(there is only one for the entire sub network) external IP and a new port number. By doing this, the router/isp/ect can tell which internal IP and port each external communication goes to.
Anytime one of the computers communicating over the internet are behind a NAT, port forwarding is required. I'm sure there are way more situations than this, and the solution to each can be quite complicated. But this covers the vast majority.

How to find the tunnel Type?

I am trying to find out the type of the tunnel used for a vpn.. I am trying to determing if the tunnel is tcp or udp.. how do I do that? When I observe the tunnel traffic I am not able to observe anything! In the sense that packets are sent as such..
You need to observe the traffic on the physical network connection, not the traffic in the tunnel itself:
Setup a network packet capture program, such as Wireshark, to capture the traffic on the "real" network interface e.g. your cabled Ethernet connection. On Linux it would be something along the lines of eth0.
(Optional) Shutdown as many processes that use the network as possible.
Cause as much traffic through the VPN tunnel as possible - e.g. download a large file.
Watch in your capture program for any change - the tunnel traffic should now stand out due to sheer volume.
Keep in mind that if you are using an IPSec tunnel, the packets will be ESP, which is neither TCP nor UDP.

Resources