I'm doing some troubleshooting in our network and VPNs and I want to monitor the traffic and I want to see if the SNAT and DNAT is working fine. I want something live like tcpdump that I can see something like:
192.168.25.40 <----> 172.16.30.245 icmp echo-request 194.30.25.10 194.30.25.10 icmp echo-reply 172.26.30.245 <----> 192.168.25.40
Is it possible to do it with tcpdump, or iptraf or iftop ? Or is there any other tool I could use to see the NAT in real time ?
Thanks
I don't know what you are doing wrong, but here's an example. Setup: Two network namespaces ns0 and ns1 with two veth pairs, main namespace forwards:
ns0 <------- main -------> ns1 veth0b --- veth0a veth1a --- veth1b 10.0.0.1 10.0.0.254 10.0.1.254 10.0.1.1 Doing plain tcpdump on veth0a and veth1a. Pinging ns0 from ns1 without NAT shows:
IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20765, seq 1, length 64 IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20765, seq 1, length 64 on veth0a, and on veth1a:
IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20765, seq 1, length 64 IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20765, seq 1, length 64 After enableing SNAT on veth0a with
iptables -t nat -A POSTROUTING -o veth0a -s 10.0.1.1/32 -j SNAT --to 10.0.1.90 now on veth0a there is
IP 10.0.1.90 > 10.0.0.1: ICMP echo request, id 20795, seq 1, length 64 IP 10.0.0.1 > 10.0.1.90: ICMP echo reply, id 20795, seq 1, length 64 while on veth1a
IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20795, seq 1, length 64 IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20795, seq 1, length 64 So one can clearly see the SNAT is working.
As I said, you need to dump packets on both the outgoing and the incoming interface.
ping -p with some pattern. But it's quite obvious what's going on if you have two xterms with tcpdump open.
tcpdump. Monitor both the incoming and the outgoing IF, and you should see the differents IPs. If there's a lot of other traffic at the same time which you can't stop, a better alternative iswireshark, because it has a GUI and filters.