From alex at wombaz.de  Tue Dec 11 05:26:52 2012
From: alex at wombaz.de (Alex Woick)
Date: Tue, 11 Dec 2012 14:26:52 +0100
Subject: [Netalyzr] intranet proxy detection gets web server instead of proxy
Message-ID: <50C7349C.3040707@wombaz.de>

I have a machine with a squid proxy (port 3123) and a web server (port 
80) running in my intranet. The proxy configuration for my machine is 
distributed with a proxy.pac file. This way, my browser contacts the 
intranet proxy, which contacts remote web servers directly.

With this configuration, netalyzr detects a wrong proxy in my intranet. 
It probes the correct machine but misinterprets the apache web server on 
port 80 als proxy, which is not configured as proxy. I removed the 
mod_proxy.so and corresponding modules from httpd.conf, so it really 
cannot. This results in wrong reports from netalyzr that a proxy alters 
responses and performs broken caching.

This is an excerpt from the client logfile:

009,582  test-7| Starting checkURL
009,687  test-7| Response code 200
009,689  test-7| Global client addr via HTTP is 130.180.63.129
009,689  test-7| Suspecting proxy at linux1.wombaz.localnet:80, verifying.
009,691  test-7| connected to 'linux1.wombaz.localnet/10.10.10.11:80' in 1 ms
009,697  test-7| read response headers in 6 ms
009,697  test-7| HTTP headers received: Date Server Content-Length Connection Content-Type
009,697  test-7| Connection header is close
009,697  test-7| Content length is: 339
009,697  test-7| Got all content
009,697  test-7| Proxy confirmed via ID string in payload.

According to proxy.pac, the proxy runs on linux1.wombaz.localnet:3128, 
and according to the X-Cache-Lookup header applications could be able to 
determine the correct port 3128 even without proxy.pac.
If I manually configure the browser (Firefox) to directly connect to 
websites, no proxy is detected - which is fine.

This is the link for the session with proxy autoconfiguration file:
http://netalyzr.icsi.berkeley.edu/restore/id=ae81b058-31561-8df8f214-2702-41dc-b85d

using the cli version, netalyzr doesn't detect any proxy (which is fine):
http://netalyzr.icsi.berkeley.edu/restore/id=43ca253f-13251-c562e872-9d42-4b5e-a6f6

Tschau
Alex

From christian at icir.org  Wed Dec 12 01:56:07 2012
From: christian at icir.org (Christian Kreibich)
Date: Wed, 12 Dec 2012 01:56:07 -0800
Subject: [Netalyzr] intranet proxy detection gets web server instead of
 proxy
In-Reply-To: <50C7349C.3040707@wombaz.de>
References: <50C7349C.3040707@wombaz.de>
Message-ID: <50C854B7.3060208@icir.org>

Hi Alex,

On 12/11/2012 05:26 AM, Alex Woick wrote:
> I have a machine with a squid proxy (port 3123) and a web server (port 
> 80) running in my intranet. The proxy configuration for my machine is 
> distributed with a proxy.pac file. This way, my browser contacts the 
> intranet proxy, which contacts remote web servers directly.
> 
> With this configuration, netalyzr detects a wrong proxy in my intranet. 
> It probes the correct machine but misinterprets the apache web server on 
> port 80 als proxy, which is not configured as proxy. I removed the 
> mod_proxy.so and corresponding modules from httpd.conf, so it really 
> cannot. This results in wrong reports from netalyzr that a proxy alters 
> responses and performs broken caching.

Interesting stuff, thanks for reporting this.

I suspect what's going on is our processing of Via and X-Cache-Lookup
headers hitting a bug that ends up with the wrong port information. The
second problem seems to be that whatever content we manage to retrieve
from the server happens to pass our test.

We have the header information in the session transcript, so let us take
a look at what's going on. In the meantime it would be helpful if you
could tell us (e.g. via a tcpdump) what's the content we retrieve from
your webserver. I suppose it's a 404 of some sort?

> According to proxy.pac, the proxy runs on linux1.wombaz.localnet:3128, 
> and according to the X-Cache-Lookup header applications could be able to 
> determine the correct port 3128 even without proxy.pac.

Yeah, that makes complete sense and is exactly what's supposed to happen.

Best,
Christian

From alex at wombaz.de  Mon Dec 17 05:22:57 2012
From: alex at wombaz.de (Alex Woick)
Date: Mon, 17 Dec 2012 14:22:57 +0100
Subject: [Netalyzr] intranet proxy detection gets web server instead of
 proxy
In-Reply-To: <50C854B7.3060208@icir.org>
References: <50C7349C.3040707@wombaz.de> <50C854B7.3060208@icir.org>
Message-ID: <50CF1CB1.2070101@wombaz.de>

Christian Kreibich schrieb am 12.12.2012 10:56:
> We have the header information in the session transcript, so let us take
> a look at what's going on. In the meantime it would be helpful if you
> could tell us (e.g. via a tcpdump) what's the content we retrieve from
> your webserver. I suppose it's a 404 of some sort?
Yes, exactly. Apache acts as if the proxy request is a normal request to 
the local web server.

   Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP 
(IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
+ Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP, 
Packet ID = 9106, Total IP Length = 467
+ Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427, 
Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8) 
= 65536
- Http: Request, GET 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 

     Command: GET
   - URI: 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
      Location: 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 

     ProtocolVersion: HTTP/1.1
     Host:  n2.netalyzr.icsi.berkeley.edu:80
     UserAgent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) 
Gecko/20100101 Firefox/17.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Accept-Language:  de,en;q=0.5
     Accept-Encoding:  gzip, deflate
     Accept-Charset:  ISO-8859-1,utf-8;q=0.7,*;q=0.7
     Connection:  close
     HeaderEnd: CRLF

   Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP 
(IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
+ Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP, 
Packet ID = 18040, Total IP Length = 558
+ Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518, 
Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6) 
= 15680
- Http: Response, HTTP/1.1, Status: Not found, URL: 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 

     ProtocolVersion: HTTP/1.1
     StatusCode: 404, Not found
     Reason: Not Found
     Date:  Mon, 17 Dec 2012 13:08:55 GMT
     Server:  Apache/2.2.15 (CentOS)
     ContentLength:  338
     Connection:  close
   + ContentType:  text/html; charset=iso-8859-1
     HeaderEnd: CRLF
   - payload: HttpContentType =  text/html; charset=iso-8859-1
      HtmlElement: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      HtmlElement:
<html>
      HtmlElement: <head>
      HtmlElement:
<title>
      HtmlElement: 404 Not Found</title>
      HtmlElement:
</head>
      HtmlElement: <body>
      HtmlElement:
<h1>
      HtmlElement: Not Found</h1>
      HtmlElement:
<p>
      HtmlElement: The requested URL 
/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this 
server.</p>
      HtmlElement:
<hr>
      HtmlElement:
<address>
      HtmlElement: Apache/2.2.15 (CentOS) Server at 
n2.netalyzr.icsi.berkeley.edu Port 80</address>
      HtmlElement:
</body>
      HtmlElement: </html>
      HtmlElement:

I made a Microsoft Network monitor dump of one netalyzr session on my 
Windows machine (the one I run the netalyzr test from). As far as I 
know, the capture format is readable by many analyzer tools. I included 
frames from firefox.exe and java.exe. You can download it from here:

http://www.wombaz.de/files-to-transfer/netalyzr.cap

Tschau
Alex

From ericdherringtonjr at gmail.com  Tue Dec 18 21:06:28 2012
From: ericdherringtonjr at gmail.com (Eric Herrington)
Date: Wed, 19 Dec 2012 00:06:28 -0500
Subject: [Netalyzr] intranet proxy detection gets web server instead of
	proxy
In-Reply-To: <50CF1CB1.2070101@wombaz.de>
References: <50C7349C.3040707@wombaz.de> <50C854B7.3060208@icir.org>
	<50CF1CB1.2070101@wombaz.de>
Message-ID: <CA+ENJW22rVyxLXDec9E6J0w53BFSJbCK7-P5wDmZToziQ+r=+g@mail.gmail.com>

I believe you are sending this to the wrong person.


On Mon, Dec 17, 2012 at 8:22 AM, Alex Woick <alex at wombaz.de> wrote:

> Christian Kreibich schrieb am 12.12.2012 10:56:
> > We have the header information in the session transcript, so let us take
> > a look at what's going on. In the meantime it would be helpful if you
> > could tell us (e.g. via a tcpdump) what's the content we retrieve from
> > your webserver. I suppose it's a 404 of some sort?
> Yes, exactly. Apache acts as if the proxy request is a normal request to
> the local web server.
>
>    Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
> + Ethernet: Etype = Internet IP
>
> (IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
> + Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
> Packet ID = 9106, Total IP Length = 467
> + Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
> Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
> = 65536
> - Http: Request, GET
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>
>      Command: GET
>    - URI:
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>       Location:
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>
>      ProtocolVersion: HTTP/1.1
>      Host:  n2.netalyzr.icsi.berkeley.edu:80
>      UserAgent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
> Gecko/20100101 Firefox/17.0
>      Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>      Accept-Language:  de,en;q=0.5
>      Accept-Encoding:  gzip, deflate
>      Accept-Charset:  ISO-8859-1,utf-8;q=0.7,*;q=0.7
>      Connection:  close
>      HeaderEnd: CRLF
>
>    Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
> + Ethernet: Etype = Internet IP
>
> (IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
> + Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
> Packet ID = 18040, Total IP Length = 558
> + Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
> Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
> = 15680
> - Http: Response, HTTP/1.1, Status: Not found, URL:
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>
>      ProtocolVersion: HTTP/1.1
>      StatusCode: 404, Not found
>      Reason: Not Found
>      Date:  Mon, 17 Dec 2012 13:08:55 GMT
>      Server:  Apache/2.2.15 (CentOS)
>      ContentLength:  338
>      Connection:  close
>    + ContentType:  text/html; charset=iso-8859-1
>      HeaderEnd: CRLF
>    - payload: HttpContentType =  text/html; charset=iso-8859-1
>       HtmlElement: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>       HtmlElement:
> <html>
>       HtmlElement: <head>
>       HtmlElement:
> <title>
>       HtmlElement: 404 Not Found</title>
>       HtmlElement:
> </head>
>       HtmlElement: <body>
>       HtmlElement:
> <h1>
>       HtmlElement: Not Found</h1>
>       HtmlElement:
> <p>
>       HtmlElement: The requested URL
> /conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
> server.</p>
>       HtmlElement:
> <hr>
>       HtmlElement:
> <address>
>       HtmlElement: Apache/2.2.15 (CentOS) Server at
> n2.netalyzr.icsi.berkeley.edu Port 80</address>
>       HtmlElement:
> </body>
>       HtmlElement: </html>
>       HtmlElement:
>
> I made a Microsoft Network monitor dump of one netalyzr session on my
> Windows machine (the one I run the netalyzr test from). As far as I
> know, the capture format is readable by many analyzer tools. I included
> frames from firefox.exe and java.exe. You can download it from here:
>
> http://www.wombaz.de/files-to-transfer/netalyzr.cap
>
> Tschau
> Alex
> _______________________________________________
> Netalyzr mailing list
> Netalyzr at mailman.ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20121219/9c95f241/attachment.html 

From whkrems at gmail.com  Tue Dec 18 21:11:37 2012
From: whkrems at gmail.com (William Krems)
Date: Tue, 18 Dec 2012 23:11:37 -0600
Subject: [Netalyzr] intranet proxy detection gets web server instead of
	proxy
In-Reply-To: <CA+ENJW22rVyxLXDec9E6J0w53BFSJbCK7-P5wDmZToziQ+r=+g@mail.gmail.com>
References: <50C7349C.3040707@wombaz.de> <50C854B7.3060208@icir.org>
	<50CF1CB1.2070101@wombaz.de>
	<CA+ENJW22rVyxLXDec9E6J0w53BFSJbCK7-P5wDmZToziQ+r=+g@mail.gmail.com>
Message-ID: <CAHczY-wZx+uLDOCkYbHW9X59KQtDLNO0x2wYjDWESAZQQyQU6g@mail.gmail.com>

Same here 2nd one I received


On Tue, Dec 18, 2012 at 11:06 PM, Eric Herrington <
ericdherringtonjr at gmail.com> wrote:

> I believe you are sending this to the wrong person.
>
>
> On Mon, Dec 17, 2012 at 8:22 AM, Alex Woick <alex at wombaz.de> wrote:
>
>> Christian Kreibich schrieb am 12.12.2012 10:56:
>> > We have the header information in the session transcript, so let us take
>> > a look at what's going on. In the meantime it would be helpful if you
>> > could tell us (e.g. via a tcpdump) what's the content we retrieve from
>> > your webserver. I suppose it's a 404 of some sort?
>> Yes, exactly. Apache acts as if the proxy request is a normal request to
>> the local web server.
>>
>>    Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
>> + Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
>> Packet ID = 9106, Total IP Length = 467
>> + Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
>> Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
>> = 65536
>> - Http: Request, GET
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>>      Command: GET
>>    - URI:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>       Location:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>>      ProtocolVersion: HTTP/1.1
>>      Host:  n2.netalyzr.icsi.berkeley.edu:80
>>      UserAgent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
>> Gecko/20100101 Firefox/17.0
>>      Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>      Accept-Language:  de,en;q=0.5
>>      Accept-Encoding:  gzip, deflate
>>      Accept-Charset:  ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>      Connection:  close
>>      HeaderEnd: CRLF
>>
>>    Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
>> + Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
>> Packet ID = 18040, Total IP Length = 558
>> + Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
>> Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
>> = 15680
>> - Http: Response, HTTP/1.1, Status: Not found, URL:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>>      ProtocolVersion: HTTP/1.1
>>      StatusCode: 404, Not found
>>      Reason: Not Found
>>      Date:  Mon, 17 Dec 2012 13:08:55 GMT
>>      Server:  Apache/2.2.15 (CentOS)
>>      ContentLength:  338
>>      Connection:  close
>>    + ContentType:  text/html; charset=iso-8859-1
>>      HeaderEnd: CRLF
>>    - payload: HttpContentType =  text/html; charset=iso-8859-1
>>       HtmlElement: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>       HtmlElement:
>> <html>
>>       HtmlElement: <head>
>>       HtmlElement:
>> <title>
>>       HtmlElement: 404 Not Found</title>
>>       HtmlElement:
>> </head>
>>       HtmlElement: <body>
>>       HtmlElement:
>> <h1>
>>       HtmlElement: Not Found</h1>
>>       HtmlElement:
>> <p>
>>       HtmlElement: The requested URL
>> /conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
>> server.</p>
>>       HtmlElement:
>> <hr>
>>       HtmlElement:
>> <address>
>>       HtmlElement: Apache/2.2.15 (CentOS) Server at
>> n2.netalyzr.icsi.berkeley.edu Port 80</address>
>>       HtmlElement:
>> </body>
>>       HtmlElement: </html>
>>       HtmlElement:
>>
>> I made a Microsoft Network monitor dump of one netalyzr session on my
>> Windows machine (the one I run the netalyzr test from). As far as I
>> know, the capture format is readable by many analyzer tools. I included
>> frames from firefox.exe and java.exe. You can download it from here:
>>
>> http://www.wombaz.de/files-to-transfer/netalyzr.cap
>>
>> Tschau
>> Alex
>> _______________________________________________
>> Netalyzr mailing list
>> Netalyzr at mailman.ICSI.Berkeley.EDU
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>>
>
>
> _______________________________________________
> Netalyzr mailing list
> Netalyzr at mailman.ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20121218/20255485/attachment.html