Today's tshark love

I wanted to track down the origin of some bad requests hitting my infrastructure servers but the webserver is fronted by a Netscaler in SNAT mode, so the actual client IP address is not visible. Easy enough to change, I just turned on Client IP at the Netscaler and told it to add an X-Forwarded-For header. Then on the server I ran tshark with -V, which prints out every field on the packets matching the filter. This showed what I wanted but was a little too verbose, and I dimly remembered you could set a field format — sure enough you string together -e options with the names of the fields you want to see. But what were those names? Turns out tshark -G prints out a nice table of every field you can use in display filter expressions, so it was easy to grep that and find http.request.uri and http.x_forwarded_for in the output. Now the command:

tshark -n -i eth0 -s 2000 -R "http.request.uri contains pkgserv" \

-T fields -e http.request.uri -e http.x_forwarded_for port 80 and host 10.1.1.1

where 10.1.1.1 is my Netscaler’s subnet IP (the apparent source address of requests coming through the VIP), produces output like this:

/pkgserv?cmd=stat&opt=size&opt=mtime&file=ruby-1.8.7_p334-Darwin-10.2.0.tar.bz2     10.1.0.10 

/pkgserv?cmd=stat&opt=size&opt=mtime&file=ruby-1.8.7_p334-Darwin-10.2.0.tar.bz2     10.1.0.11

And there are the real IP addresses alongside the URI paths they’re requesting. Slick!