How to check NAT live?

linux networking tcpdump nat troubleshooting

5,288

I don't know what you are doing wrong, but here's an example. Setup: Two network namespaces ns0 and ns1 with two veth pairs, main namespace forwards:

ns0          <------- main ------->     ns1
veth0b   --- veth0a          veth1a --- veth1b
10.0.0.1     10.0.0.254  10.0.1.254     10.0.1.1

Doing plain tcpdump on veth0a and veth1a. Pinging ns0 from ns1 without NAT shows:

IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20765, seq 1, length 64
IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20765, seq 1, length 64

on veth0a, and on veth1a:

IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20765, seq 1, length 64
IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20765, seq 1, length 64

After enableing SNAT on veth0a with

iptables -t nat -A POSTROUTING -o veth0a -s 10.0.1.1/32 -j SNAT --to 10.0.1.90

now on veth0a there is

IP 10.0.1.90 > 10.0.0.1: ICMP echo request, id 20795, seq 1, length 64
IP 10.0.0.1 > 10.0.1.90: ICMP echo reply, id 20795, seq 1, length 64

while on veth1a

IP 10.0.1.1 > 10.0.0.1: ICMP echo request, id 20795, seq 1, length 64
IP 10.0.0.1 > 10.0.1.1: ICMP echo reply, id 20795, seq 1, length 64

So one can clearly see the SNAT is working.

As I said, you need to dump packets on both the outgoing and the incoming interface.

5,288

Adonist

Updated on September 18, 2022

Comments

Adonist over 1 year

I'm doing some troubleshooting in our network and VPNs and I want to monitor the traffic and I want to see if the SNAT and DNAT is working fine. I want something live like tcpdump that I can see something like:

192.168.25.40 <----> 172.16.30.245 icmp echo-request 194.30.25.10 194.30.25.10 icmp echo-reply 172.26.30.245 <----> 192.168.25.40

Is it possible to do it with tcpdump, or iptraf or iftop ? Or is there any other tool I could use to see the NAT in real time ?

Thanks
- dirkt almost 7 years
  
  Yes, it's possible with tcpdump. Monitor both the incoming and the outgoing IF, and you should see the differents IPs. If there's a lot of other traffic at the same time which you can't stop, a better alternative is wireshark, because it has a GUI and filters.
- Adonist almost 7 years
  
  I checked the interfaces but it shows only the ip i'm pinging and the IP of the NAT. It doesn't show the IP before the NAT. Do I need any specific parameter ? I've used -vvvv to see the most information but still not.
dirkt almost 7 years

No, you can't check on the same IF before and after NAT. What's the problem with checking both IFs? You'll be doing the pings manually, anyway. And if SNAT works for one IP, it will likely also work for the others.
dirkt almost 7 years

And if you really need to identify pings, use ping -p with some pattern. But it's quite obvious what's going on if you have two xterms with tcpdump open.