www.copyandwaste.com

Recently I took on a project to migrate “difficult” users from our proxy-based firewalls to use default route towards packet filters.  Since we do not force users to authenticate for dhcp / keep track of IP assignments to users, it was very difficult to contact the remaining users going through our proxies.  The first step to identify hosts going through our proxy firewalls is to get a list of IP addresses, which I did with the following command  on the proxy firewalls:

tcpdump -qni em1 not src host 192.168.5.2 | awk ‘{print $2}’ | awk -F. ‘{print $1″.”$2″.”$3″.”$4}’ >> ~/hosts-through-proxy.txt

Explanation:

tcpdump -qni tells tcpdump to operate in “quiet” mode which really strips off a lot of extraneous info for our purposes.   The n flag also tells tcpdump to not resolve hostnames.

em1 This is your inside (internal) interface

192.168.5.2 This is the IP address on your internal interface, and tells tcpdump to ignore traffic coming from this IP address.

awk ‘{print $2}’ This prints the source ip field

awk -F. ‘{print $1″.”$2″.”$3″.”$4}’ This breaks up the souce ip text by periods, then prints the all the octets minus the port that tcpdump adds on

>> ~/hosts-through-proxy.txt This obviously writes the output to a file

After letting this run for a decent amount of time (a few days) I was able to run the file through uniq and produce a list of hosts using the firewall.

I will continue to post commands/workflows I find useful in this project.