How to Make TcpDump Capture on Squid
We have a problem connecting to one specific site using proxy and need to see traffic that runs on the network level in our Squid proxy / Web Safety virtual appliance. How to do it from the command line?
In order to look into the proxy traffic we will use the
tcpdump command. First, login into virtual appliance using terminal console and see what interface names you have in the virtual appliance by running the following command:
root@node12:~# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 .. 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu .. link/ether 00:0c:29:7e:b9:03 brd ff:ff:ff:ff:ff:ff
This output indicates we have the
ens160 interface name in the virtual appliance. Please note if you are using Web Safety virtual appliance for Microsoft Hyper-V the interface names might be different.
Now start the
tcpdump on the server by running the following command
tcpdump -i ens160 -s 65535 -w connection.dump. The output will look something like the following.
root@node12:~# tcpdump -i ens160 -s 65535 -w connection.dump tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes 71 packets captured 97 packets received by filter 0 packets dropped by kernel ^C
Go to your browser and visit the problematic site. Close the browser afterwards. Then return to the virtual appliance console and hit
CTRL+C. The dump session will stop.
The only thing left is to download the
connection.dump file to your desktop machine, pack it and send to firstname.lastname@example.org for analysis. Please note our attachment limit on that address is 1MB only.
If interested you can also open that file in Wireshark and inspect the HTTP/HTTPS/Proxy connection contents. Maybe it will help identifying the reasons for error.