vincent-zurczak · November 21, 2019 18:09
diff --git a/reminder-about-tcpmon.sh b/reminder-about-tcpmon.sh
 #!/bin/sh

 # Assuming we have an Elastic Search cluster secured by Nginx.

 #################
 # On the server.
 #################

 # Capture HTTP traffic to Nginx (listening on port 9200).
 # Output the result in a PCAP file, readable with Wireshark.
 tcpdump -A -i eth0 -s 0 \
  'tcp port 9200 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \
  -w /tmp/capture-to-nginx.pcap

 # Capture HTTP traffic to ES (listening on port 9201), on the local network interface.
 # Output the result in a PCAP file, readable with Wireshark.
 tcpdump -A -i lo -s 0 \
  'tcp port 9201 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \
  -w /tmp/capture-to-es.pcap

 # Execute the requests.

 #################
 # Locally.
 #################

 # Retrieve the results from the local machine
 scp -p user@ip:/tmp/capture-to-nginx.pcap /tmp/capture-to-nginx.pcap
 scp -p user@ip:/tmp/capture-to-es.pcap /tmp/capture-to-es.pcap
	#!/bin/sh

	# Assuming we have an Elastic Search cluster secured by Nginx.

	#################
	# On the server.
	#################

	# Capture HTTP traffic to Nginx (listening on port 9200).
	# Output the result in a PCAP file, readable with Wireshark.
	tcpdump -A -i eth0 -s 0 \
	'tcp port 9200 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \
	-w /tmp/capture-to-nginx.pcap

	# Capture HTTP traffic to ES (listening on port 9201), on the local network interface.
	# Output the result in a PCAP file, readable with Wireshark.
	tcpdump -A -i lo -s 0 \
	'tcp port 9201 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \
	-w /tmp/capture-to-es.pcap

	# Execute the requests.

	#################
	# Locally.
	#################

	# Retrieve the results from the local machine
	scp -p user@ip:/tmp/capture-to-nginx.pcap /tmp/capture-to-nginx.pcap
	scp -p user@ip:/tmp/capture-to-es.pcap /tmp/capture-to-es.pcap