From 61f910be8d4a3ba188bc81b97073652ddff9a82d Mon Sep 17 00:00:00 2001
From: Fabian Kirschner <fabian.kirschner@gmail.com>
Date: Tue, 20 Aug 2024 17:30:21 +0200
Subject: [PATCH] feat: add tcpdump blog article

---
 ...network-requests-are-made-by-your-tools.md | 52 +++++++++++++++++++
 .../images/2024-08-20-pfsense-screenshot.png  |  3 ++
 .../images/2024-08-20-tcpdump-askubuntu.png   |  3 ++
 3 files changed, 58 insertions(+)
 create mode 100644 src/content/blog/2024-08-20-tcpdump-how-to-find-out-which-network-requests-are-made-by-your-tools.md
 create mode 100644 src/content/blog/images/2024-08-20-pfsense-screenshot.png
 create mode 100644 src/content/blog/images/2024-08-20-tcpdump-askubuntu.png

diff --git a/src/content/blog/2024-08-20-tcpdump-how-to-find-out-which-network-requests-are-made-by-your-tools.md b/src/content/blog/2024-08-20-tcpdump-how-to-find-out-which-network-requests-are-made-by-your-tools.md
new file mode 100644
index 0000000..63945ed
--- /dev/null
+++ b/src/content/blog/2024-08-20-tcpdump-how-to-find-out-which-network-requests-are-made-by-your-tools.md
@@ -0,0 +1,52 @@
+---
+title: "TCPDump: How to find out which network requests are made by your tools?"
+image: 2024-08-20-tcpdump-askubuntu.png
+timetoreadmins: 5
+slug: tcpdump-observe-network-requests
+date: 20.08.2024
+tags: 
+  - tcpdump
+  - firewall
+  - whitelisting
+---
+
+I have a locked-down Linux Server where I want to pull and run a docker container from DockerHub. 
+_Locked-down_ means here, that the egress traffic of that server is restricted by a firewall.
+Therefore the server cannot access everything on the internet, only the sites I have explictly allowed.
+
+Therefore I need to find out which URLs are used when I call `docker pull`.
+Google might give me an answer, but I want to exactly see what is tried to be accessed, on my machine, by inspecting the network traffic.
+
+This would also be very useful in other situations, like debugging network issues, etc.
+
+How?
+
+1. Capture the requests made by `docker pull`
+2. Check where it tries to connect to
+
+On Linux, with tcpdump, easy enough.
+
+1. Run sudo __`sudo tcpdump -i any -w /tmp/http.log`__ to capture any network interface and write everything in a log file.
+2. Now your terminal is blocked, so hit __`Ctrl + Z`__ to halt the current process and then continue it in the background by running the __`bg`__ command
+3. Then run the command where we want to capture the packets from, __`docker pull nginx`__ for example and abort it with __`Ctrl + C`__ once you think the network requests have been made.
+4. Stop the packet capture by bringing the background process back into the foreground with __`fg`__ and stopping it with __`Ctrl + C`__
+5. Finally we can read the captured packets with __`sudo tcpdump -r /tmp/http2.log | less`__ or directly filter them for the process we're interested in with __`sudo tcpdump -r /tmp/http2.log | grep docker`__. If we want to look at the payload of the packets add the __`-A`__ flag to tcpdump, but usually this is neither required, nor readable with TLS.
+
+Now it's just a matter of you looking through the requests for the URLs you can spot. For my docker example, I could identify:
+
+- registry-1.docker.io
+- docker.io
+- production.cloudflare.docker.com
+
+From the internet I then learned that the following URLs are also relevant for docker:
+
+- index.docker.io for the API
+- auth.docker.io for Authentication
+
+So the final list of URLs I added to my Firewall were these five, as you can see in the screenshot.
+
+![2024-08-20-pfsense-screenshot.png](./images/2024-08-20-pfsense-screenshot.png)
+
+Hope that helped, I'll definitely make use of this more often.
+
+Credit [AskUbuntu](https://askubuntu.com/questions/252179/how-to-inspect-outgoing-http-requests-of-a-single-application) 
\ No newline at end of file
diff --git a/src/content/blog/images/2024-08-20-pfsense-screenshot.png b/src/content/blog/images/2024-08-20-pfsense-screenshot.png
new file mode 100644
index 0000000..6645dcc
--- /dev/null
+++ b/src/content/blog/images/2024-08-20-pfsense-screenshot.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4e7f8f7f2a6b3b620109a9cb53974e771e6844ba38f4cf6358b50762c6bb5af2
+size 342596
diff --git a/src/content/blog/images/2024-08-20-tcpdump-askubuntu.png b/src/content/blog/images/2024-08-20-tcpdump-askubuntu.png
new file mode 100644
index 0000000..f839a34
--- /dev/null
+++ b/src/content/blog/images/2024-08-20-tcpdump-askubuntu.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:beb2777037467d03b9d4151fdb1299e20fdbdcca7c6e43f6d5c5bd57f1549afc
+size 289426