I am using tcpdump to dump HTTPS traffic passing through mitmproxy (actually mitmdump) running in transparent mode. The proxy server (CentOS 6.x) faces the internet on
eth0 and I was connecting to it as a gateway on
eth1. This setup works fine.
I then decided it would be nice to be able to use a browser on the proxy server itself. I quickly found out that you need to use the OUTPUT chain in iptables:
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner ffuser --dport 443 -j REDIRECT --to-port 8080
This works, in the sense that I can browse on the proxy server and my traffic passes through mitmproxy. I can see that the cert is issued by mitmproxy and my modifications are applied. However, I can no longer get a clean dump of the traffic. In the earlier scenario (proxy server as gateway) I could just tcpdump the traffic on
eth1. But now there’s no unified view of the traffic from tcpdump’s perspective as I have to tcpdump on
lo and the iptables rules seem to be interfering.
- Requests are from [eth0 IP]:[random port] to 127.0.0.1:8080
- Responses are from [website IP]:443 to [eth0 IP]:[random port]
I don’t think there’s any way to capture this traffic using tcpdump in such a way as to have a “normal” capture with both sides of the conversation within single TCP streams.
I realise this isn’t really an mitmproxy issue, but if anyone has any advice (including “stop trying”) then that would be very welcome.