Can I use tcpdump (or another tool) to log the duration of connections to a remote host:port?
Posted by pskipw@reddit | linuxadmin | View on Reddit | 23 comments
Hi all,
I want to calculate the average duration of SSL requests to a certain IP and port. I feel like tcpdump is probably the tool of choice, but sadly I'm fairly unfamiliar with its usage.
Any clues ?
Thanks :)
Made_By_Love@reddit
You would like to time the TLS/SSL handshake?
Kilobyte22@reddit
If this is web traffic the easiest solution would probably to get it from the logs of your Webserver.
pskipw@reddit (OP)
It's a remote site and they're not able/willing able to provide logs :(
michaelpaoli@reddit
So, tcpdump and/or tshark, and can then also post-process that with python or perl, to get whatever you want regarding connection durations. There may be simpler ways, but that would be at least one approach. But you may well end up needing more than duration information - e.g. when it's taking "too long", what part(s) of the connection are taking excessive time. Anyway, tcpdump and/or tshark should be able to get you most all the data you may need on that. But if it's TLS/SSL encrypted, and you need data within, you may need to use some additional means/tools.
pskipw@reddit (OP)
Thanks!!
Do you have a second to answer a question? I'm a noob when it comes to tcpdump (and low-level networking in general). I tried downloading a file from a remote SSL site (a public mirror, or I'd hide the IP address) with:
This gives me the two timestamps of start and end - excellent!
My question is - if my goal is to examine the duration of hundreds of requests, how do I map/match the syn and fin packets of each SSL request?
michaelpaoli@reddit
examine the duration of hundreds of requests, how do I map/match the syn and fin packets of each SSL request?
By IP/port quads - those will be unique ... at least during connection and bit of guard time after.
I've done stuff like that before, e.g. using tcpdump, tshark, and perl to analyze traffic, notably isolate SMPP traffic that was failing at << 1 in a million, but at many billions or more messages, was giving thousands of failures per day where there should've been none. So, yeah, something like that to capture relevant data and analyze the timings ... though today may be more appropriate to use python than perl, but otherwise, essentially same. And may or may not be able to do the captures direct with tshark.
pskipw@reddit (OP)
Oh yeah - I forgot about the client port. Good stuff - thanks!
Majestic-Prompt-4765@reddit
you might be able to use tcplife (or see the other BCC tools):
https://github.com/iovisor/bcc/blob/master/tools/tcplife_example.txt
zqpmx@reddit
Wireshark?
aedinius@reddit
Netflow or zeek
s1lv3rbug@reddit
I’m sure you can use tcpdump to create a pcap file and load it that file into Wireshark and examine it.
darkspark_pcn@reddit
I'm pretty sure if you filter it down to just the syn and ack for the session you're looking at you can even get wireshark to display the time delta between the packets.
franktheworm@reddit
You'd need syn and fin (or RST) for session length, rather than syn and ack. There would be many acks through the session.
darkspark_pcn@reddit
Yes. Sorry. That is correct.
NL_Gray-Fox@reddit
If its a website you can do it with curl, that way it can tell you more in depth information that tcpdump cannot see because it (might be) inside the TLS handshake.
pskipw@reddit (OP)
Thanks, but to be clear - I want to time requests which are running from other processes; I don't need/want to pro-actively initiate the connections myself.
NL_Gray-Fox@reddit
Ok, but then we need more information like what program and what type of service are you trying to monitor.
Also keep in mind that things like keep alive for connections exist, so even though you have an active connection there might be no/very little data.
pskipw@reddit (OP)
They’re https API requests. Keepalive can be assumed to not be a factor.
Indifferentchildren@reddit
Netfilter (the built-in firewall system in Linux) has the ability to log off you give it rules to do so. That should be able to log session information without capturing heavy data.
TaterSupreme@reddit
Your browser's developer tools would be a better source of info on that.
aenae@reddit
What you want is flow data, start, end, duration. tcpdump is overkill and too heavy. Use netflow or something similar.
the_unsender@reddit
You'll need to run tcpdump as a background service, but yes it's possible to use it to do what you're asking.
mriswithe@reddit
Yeah, you are looking for the start and end of a session session. That should be capturable. The initial syn, then the ....fin ack? There is a signal of some kind that should be visible where both sides say "ok I am done" to each other.