3

When I want to figure out how a certain protocol works (let's say in this case, the HTTP protocol on port 80), I open two terminal windows:

nc -l 80
nc google.com 80

I then fire up the program I want to "man-in-the-middle", in this case FireFox, and go to http://localhost:80.

When the terminal on the left side sends a message, I copy and paste the data into the terminal on the right side. When the terminal on the right side sends a message, I do the same for the left terminal.

In addition to being manual and tedious, this process has two downsides:

  1. If I'm not fast enough, the connection may time-out.
  2. Copying and pasting does not handle binary data very well.

Can I automate this process? Can I have one port automatically forward data to another port, or even another machine, in a way that allows me to inspect and debug the data going back and forth?

IQAndreas
  • 10,345

2 Answers2

7

Use socat, which is netcat on steroids.

SAK 1951 Wenger Giant
           netcat                                                                                                socat

Left: Swiss army knife model 1951, photo by Ivlianvs. Right: Wenger “Giant”, photo by Slartibartfass.

socat TCP-LISTEN:8080 TCP:google.com:80

(You need to be root to listen on ports below 1024, so pick a higher port.)

But if what you want is to observe traffic, and you have root permissions, scratch that and run Wireshark. Start it up, set the filter to tcp.port == 80, start listening on your default network interface, and start browsing.

Note that Google redirects you to HTTPS. If you look at HTTPS traffic, you'll only see the encrypted TLS connection, which isn't interesting unless you want to observe the TLS handshake. While you can arrange to intercept an HTTPS session by feeding fake certificate authorities to your browser, it's harder to set up. If you want to observe the HTTP protocol, stick to the unencrypted version, i.e. to sites that don't use SSL.

Gilles 'SO- stop being evil'
  • 829,060
  • This seemed like a really good answer! Only problem is... socat not outputting anything to console. It makes the two-way bridge between ports successfully. Client and server in full communication over socat, but not seeing any console output from (in my case) 'socat TCP-LISTEN:7777 TCP:localhost:8888'. Trying to write a webdav server. So far, PROPFIND directory listings fail, according to client ('cadaver'). Trying to find out what the server output should actually look like. – jdmayfield Nov 25 '23 at 04:01
  • In order to copy the data to the terminal / a file, use socat options like -v, -x, -r <file> and -R <file>. – Ingo Karkat Dec 18 '23 at 08:20
0

**If it is in the localhost you can just sniff it. Have a look at ngrep, tcdpump, or wireshark.

ngrep -q "." "port 80"

Alternatively you can use socat in a loop.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232