I had to check how a particular email server would behave when receiving email via a Tor exit node, but the packet capture software wouldn’t run on my client. Instead of doing the logical thing, and figuring out what the problem was with the packet capture software, I searched for another solution. I looked for software that I could put between the email client and the Tor client, and monitor all traffic.
I found Python program tcpproxy.py on GitHub.
You give it an address and port to listen on, and an address and port to forward all connections to. It can log, inspect and modify traffic passing through it.
Just what I needed. It works with modules, one of them is called hexdump. As its name implies, it will perform a hexadecimal dump of all incoming and/or outgoing traffic.
It isn’t easy to distinguish incoming and outgoing traffic, hence I made a small change to the hexdump module:
With the following result:
Unfortunately, tcpproxy is for Python 2 only. Although I was able to modify it to run on Python 3 too. Further experimenting will tell me if I’ll continue to use it.
The reason why I like this program so far: it’s a script, it’s configurable through command-line options and extensible via modules, and it depends on standard Python modules only. Which makes it usable on many machines I have to work on.
If you have a TCP proxy script you like, please let me know with a comment. Thanks.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.