While sniffing the traffic flowing through a cjdns node is not possible by design (and that’s the selling point of cjdns!), a node owner might wish to see the traffic for which his/her node is the source or the destination.

1. Add a new rule to ip6tables:

$ sudo ip6tables -A INPUT -i tun0 -j LOG --log-prefix "ip6tables: "
where ‘tun0’ is the cjdns interface (different systems can have different number), and –log-prefix key adds text to the log message, so as to make it easier to filter.

2. Create a new rule of rsyslog (rsyslog is the logging daemon on Ubuntu, other systems can have different daemons, and different settings):
$ sudo touch /etc/rsyslog.d/ip6tables.conf
$ sudo echo ':msg, contains, "ip6tables: " -/var/log/it6tables.log' >> /etc/rsyslog.d/ip6tables.conf
$ sudo service rsyslog restart

where the first line creates a new config file for rsyslog, the second one adds a rule to redirect all messages that contain “ip6tables: ” to a separate log file, and the third one restarts the logging daemon with the new config.

Done! Now, if there is some incoming/outgoing (transit excluded) activity on the node, the log will contains something like:

Aug 20 18:01:51 localhost kernel: [2896208.142539] ip6tables: IN=tun0 OUT= MAC= SRC=fc5d:baa5:61fc:6ffd:9554:67f0:e290:7535 DST=fc1c:4e55:674d:970a:9901:34ae:4cb0:b00b LEN=163 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=53 DPT=57952 LEN=123
Aug 20 18:18:51 localhost kernel: [2897228.738693] ip6tables: IN=tun0 OUT= MAC= SRC=fc89:d0bf:6d7d:3e17:eda3:a53a:5846:0001 DST=fc1c:4e55:674d:970a:9901:34ae:4cb0:b00b LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=25912 SEQ=1

Leave a Reply