Cannot tcpdump traffic with transparent mode on local machine

I am using tcpdump to dump HTTPS traffic passing through mitmproxy (actually mitmdump) running in transparent mode. The proxy server (CentOS 6.x) faces the internet on eth0 and I was connecting to it as a gateway on eth1. This setup works fine.

I then decided it would be nice to be able to use a browser on the proxy server itself. I quickly found out that you need to use the OUTPUT chain in iptables:

iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner ffuser --dport 443 -j REDIRECT --to-port 8080

This works, in the sense that I can browse on the proxy server and my traffic passes through mitmproxy. I can see that the cert is issued by mitmproxy and my modifications are applied. However, I can no longer get a clean dump of the traffic. In the earlier scenario (proxy server as gateway) I could just tcpdump the traffic on eth1. But now there’s no unified view of the traffic from tcpdump’s perspective as I have to tcpdump on lo and the iptables rules seem to be interfering.

  • Requests are from [eth0 IP]:[random port] to 127.0.0.1:8080
  • Responses are from [website IP]:443 to [eth0 IP]:[random port]

I don’t think there’s any way to capture this traffic using tcpdump in such a way as to have a “normal” capture with both sides of the conversation within single TCP streams.

I realise this isn’t really an mitmproxy issue, but if anyone has any advice (including “stop trying”) then that would be very welcome.

Thank you :slight_smile: