Recently, Rob wrote about a tool, Proxifier, that can intercept requests from specific processes. Proxifier is available for Windows, macOS, and Android. But I have not seen a generic Linux option yet. The advantage of a tool like Proxifier is the ability to target specific software. For debugging, reverse engineering, and similar tasks, selecting a specific process is quite useful, as it creates less noise to sift through and simplifies analysis.
There are a few methods for how proxies are usually configured in Linux:
Environment Variables
Many software programs look for the environment variables http_proxy and https_proxy. These environment variables can be targeted by setting them for specific processes. Open a shell, set the environment variables, and run the software you wish to inspect in the same shell.
export http_proxy="http://proxy.example.com:80"
export https_proxy="http://proxy.example.com:443"
./software-under-test
iptables
The Linux firewall code, iptables, has a number of lesser-known interesting options that can help. For example, traffic can be redirected for a specific user:
iptables -t nat -A OUTPUT -m owner --uid-owner 1234 -j REDIRECT --to-ports 8080
This example will direct all traffic generated by the user with UID 1234 to port 8080. Now start the software as this specific user (maybe set up a test user for that purpose), and you will only see traffic created by this specific user. There is no option to select a pid as pids are constantly changing, and there may be multiple pids if the process uses multiple threads, which is common for networking.
Network Namespaces
Usually, a particular Linux system uses a single routing table. Network namespaces enable the creation of separate routing tables for different processes. First, you create a new namespace. You need to assign interfaces to it, as namespaces cannot "see" network interfaces unless you explicitly add them.
ip netns add testing # adding namespace 'testing'
ip link set dev ens18 netns testing # add ens18 interface to testing. However, most use virtual interfaces
ip netns exec testing software-under-test # execute software-under-test in namespace
There are a number of more complete "recipes" for network namespaces available online. I find it the most versatile solution, particularly if environment variables do not work. The iptables solution is often simpler than namespaces, but you may end up with some unintended additional traffic.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|