I have started sshd
in my computer (Ubuntu-12.10) to let other PC (let pc2) connect in my guest account through local port forwarding.
Now how can I monitor the traffic of that pc2 from my PC i.e. which website he/she is opening or what data he/she is downloading and other traffic which is passing through my computer?
You cannot 'see' the traffic arriving from pc2, because ssh encrypts it. However, you will be able to see the outbound portion of any tunnelled traffic when it is being used, because this is generated by the local sshd.
Using the lsof command, look at what happens when the user from pc2 connects to you with ssh. lsof -i TCP|grep pc2
will show you something like this :-
sshd 14466 root 3u IPv4 327724762 0t0 TCP pc1:ssh->pc2:40781 (ESTABLISHED)
sshd 19170 pc2user 3u IPv4 327724762 0t0 TCP pc1:ssh->pc2:40781 (ESTABLISHED)
The first line represents the sshd service itself, and the second line represents the portion of sshd that is running the pc2 user's connection (Privilege Separation is used by default with Ubuntu and hopefully everyone else by now).
From this view, you can't see any port forwarding, because it isn't yet being used. But we can use process ID (PID) of the pc2user's ssh session, which is 19170 here. We can now use lsof
again to see what that process is doing. lsof -p 19170 -a -i TCP
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 19170 pc2user 3u IPv4 327724762 0t0 TCP pc1:ssh->pc2:40785 (ESTABLISHED)
That should give you the same output as the second line above; but when the user starts to use the port forwarding tunnel they have declared, you will see it form from this PID ...
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 19170 pc2user 3u IPv4 327724762 0t0 TCP pc1:ssh->pc2:40785 (ESTABLISHED)
sshd 19170 pc2user 10u IPv4 327873368 0t0 TCP localhost:55678->google.com:http (ESTABLISHED)
As soon as you detect this second connection, you are able to start collecting the network traffic for it, by specifying either end of the connection: here, we'll use the localhost end :-
tcpdump -i lo src port 55678
Now that you have seen how traffic tunneled over ssh is visible, you might want a more automatic way to trap it. iptables
allows us to match all the traffic that comes from a specific user using the Owner Match facility -- see http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#OWNERMATCH
All the outbound network traffic from pc2user's ssh connection will be owned by pc2user -- you can use iptables to log all of this somewhere, or decide what to allow/reject, or do something else, like push all the HTTP traffic into a specific proxy that you set up.
You might also need to look at the authorized_keys file for ps2user, where you can control what port forwarding the user is allowed to ask for in the first place with permitopen="host:port" statements. man sshd
will help you there.