From alex at wombaz.de Tue Dec 11 05:26:52 2012
From: alex at wombaz.de (Alex Woick)
Date: Tue, 11 Dec 2012 14:26:52 +0100
Subject: [Netalyzr] intranet proxy detection gets web server instead of proxy
Message-ID: <50C7349C.3040707@wombaz.de>
I have a machine with a squid proxy (port 3123) and a web server (port
80) running in my intranet. The proxy configuration for my machine is
distributed with a proxy.pac file. This way, my browser contacts the
intranet proxy, which contacts remote web servers directly.
With this configuration, netalyzr detects a wrong proxy in my intranet.
It probes the correct machine but misinterprets the apache web server on
port 80 als proxy, which is not configured as proxy. I removed the
mod_proxy.so and corresponding modules from httpd.conf, so it really
cannot. This results in wrong reports from netalyzr that a proxy alters
responses and performs broken caching.
This is an excerpt from the client logfile:
009,582 test-7| Starting checkURL
009,687 test-7| Response code 200
009,689 test-7| Global client addr via HTTP is 130.180.63.129
009,689 test-7| Suspecting proxy at linux1.wombaz.localnet:80, verifying.
009,691 test-7| connected to 'linux1.wombaz.localnet/10.10.10.11:80' in 1 ms
009,697 test-7| read response headers in 6 ms
009,697 test-7| HTTP headers received: Date Server Content-Length Connection Content-Type
009,697 test-7| Connection header is close
009,697 test-7| Content length is: 339
009,697 test-7| Got all content
009,697 test-7| Proxy confirmed via ID string in payload.
According to proxy.pac, the proxy runs on linux1.wombaz.localnet:3128,
and according to the X-Cache-Lookup header applications could be able to
determine the correct port 3128 even without proxy.pac.
If I manually configure the browser (Firefox) to directly connect to
websites, no proxy is detected - which is fine.
This is the link for the session with proxy autoconfiguration file:
http://netalyzr.icsi.berkeley.edu/restore/id=ae81b058-31561-8df8f214-2702-41dc-b85d
using the cli version, netalyzr doesn't detect any proxy (which is fine):
http://netalyzr.icsi.berkeley.edu/restore/id=43ca253f-13251-c562e872-9d42-4b5e-a6f6
Tschau
Alex
From christian at icir.org Wed Dec 12 01:56:07 2012
From: christian at icir.org (Christian Kreibich)
Date: Wed, 12 Dec 2012 01:56:07 -0800
Subject: [Netalyzr] intranet proxy detection gets web server instead of
proxy
In-Reply-To: <50C7349C.3040707@wombaz.de>
References: <50C7349C.3040707@wombaz.de>
Message-ID: <50C854B7.3060208@icir.org>
Hi Alex,
On 12/11/2012 05:26 AM, Alex Woick wrote:
> I have a machine with a squid proxy (port 3123) and a web server (port
> 80) running in my intranet. The proxy configuration for my machine is
> distributed with a proxy.pac file. This way, my browser contacts the
> intranet proxy, which contacts remote web servers directly.
>
> With this configuration, netalyzr detects a wrong proxy in my intranet.
> It probes the correct machine but misinterprets the apache web server on
> port 80 als proxy, which is not configured as proxy. I removed the
> mod_proxy.so and corresponding modules from httpd.conf, so it really
> cannot. This results in wrong reports from netalyzr that a proxy alters
> responses and performs broken caching.
Interesting stuff, thanks for reporting this.
I suspect what's going on is our processing of Via and X-Cache-Lookup
headers hitting a bug that ends up with the wrong port information. The
second problem seems to be that whatever content we manage to retrieve
from the server happens to pass our test.
We have the header information in the session transcript, so let us take
a look at what's going on. In the meantime it would be helpful if you
could tell us (e.g. via a tcpdump) what's the content we retrieve from
your webserver. I suppose it's a 404 of some sort?
> According to proxy.pac, the proxy runs on linux1.wombaz.localnet:3128,
> and according to the X-Cache-Lookup header applications could be able to
> determine the correct port 3128 even without proxy.pac.
Yeah, that makes complete sense and is exactly what's supposed to happen.
Best,
Christian
From alex at wombaz.de Mon Dec 17 05:22:57 2012
From: alex at wombaz.de (Alex Woick)
Date: Mon, 17 Dec 2012 14:22:57 +0100
Subject: [Netalyzr] intranet proxy detection gets web server instead of
proxy
In-Reply-To: <50C854B7.3060208@icir.org>
References: <50C7349C.3040707@wombaz.de> <50C854B7.3060208@icir.org>
Message-ID: <50CF1CB1.2070101@wombaz.de>
Christian Kreibich schrieb am 12.12.2012 10:56:
> We have the header information in the session transcript, so let us take
> a look at what's going on. In the meantime it would be helpful if you
> could tell us (e.g. via a tcpdump) what's the content we retrieve from
> your webserver. I suppose it's a 404 of some sort?
Yes, exactly. Apache acts as if the proxy request is a normal request to
the local web server.
Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP
(IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
+ Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
Packet ID = 9106, Total IP Length = 467
+ Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
= 65536
- Http: Request, GET
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
Command: GET
- URI:
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
Location:
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
ProtocolVersion: HTTP/1.1
Host: n2.netalyzr.icsi.berkeley.edu:80
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
HeaderEnd: CRLF
Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP
(IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
+ Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
Packet ID = 18040, Total IP Length = 558
+ Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
= 15680
- Http: Response, HTTP/1.1, Status: Not found, URL:
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
ProtocolVersion: HTTP/1.1
StatusCode: 404, Not found
Reason: Not Found
Date: Mon, 17 Dec 2012 13:08:55 GMT
Server: Apache/2.2.15 (CentOS)
ContentLength: 338
Connection: close
+ ContentType: text/html; charset=iso-8859-1
HeaderEnd: CRLF
- payload: HttpContentType = text/html; charset=iso-8859-1
HtmlElement:
HtmlElement:
HtmlElement:
HtmlElement:
HtmlElement: 404 Not Found
HtmlElement:
HtmlElement:
HtmlElement:
HtmlElement: Not Found
HtmlElement:
HtmlElement: The requested URL
/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
server.
HtmlElement:
HtmlElement:
HtmlElement: Apache/2.2.15 (CentOS) Server at
n2.netalyzr.icsi.berkeley.edu Port 80
HtmlElement:
HtmlElement:
HtmlElement:
I made a Microsoft Network monitor dump of one netalyzr session on my
Windows machine (the one I run the netalyzr test from). As far as I
know, the capture format is readable by many analyzer tools. I included
frames from firefox.exe and java.exe. You can download it from here:
http://www.wombaz.de/files-to-transfer/netalyzr.cap
Tschau
Alex
From ericdherringtonjr at gmail.com Tue Dec 18 21:06:28 2012
From: ericdherringtonjr at gmail.com (Eric Herrington)
Date: Wed, 19 Dec 2012 00:06:28 -0500
Subject: [Netalyzr] intranet proxy detection gets web server instead of
proxy
In-Reply-To: <50CF1CB1.2070101@wombaz.de>
References: <50C7349C.3040707@wombaz.de> <50C854B7.3060208@icir.org>
<50CF1CB1.2070101@wombaz.de>
Message-ID:
I believe you are sending this to the wrong person.
On Mon, Dec 17, 2012 at 8:22 AM, Alex Woick wrote:
> Christian Kreibich schrieb am 12.12.2012 10:56:
> > We have the header information in the session transcript, so let us take
> > a look at what's going on. In the meantime it would be helpful if you
> > could tell us (e.g. via a tcpdump) what's the content we retrieve from
> > your webserver. I suppose it's a 404 of some sort?
> Yes, exactly. Apache acts as if the proxy request is a normal request to
> the local web server.
>
> Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
> + Ethernet: Etype = Internet IP
>
> (IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
> + Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
> Packet ID = 9106, Total IP Length = 467
> + Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
> Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
> = 65536
> - Http: Request, GET
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>
> Command: GET
> - URI:
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
> Location:
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>
> ProtocolVersion: HTTP/1.1
> Host: n2.netalyzr.icsi.berkeley.edu:80
> UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
> Gecko/20100101 Firefox/17.0
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: de,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Connection: close
> HeaderEnd: CRLF
>
> Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
> + Ethernet: Etype = Internet IP
>
> (IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
> + Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
> Packet ID = 18040, Total IP Length = 558
> + Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
> Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
> = 15680
> - Http: Response, HTTP/1.1, Status: Not found, URL:
>
> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>
> ProtocolVersion: HTTP/1.1
> StatusCode: 404, Not found
> Reason: Not Found
> Date: Mon, 17 Dec 2012 13:08:55 GMT
> Server: Apache/2.2.15 (CentOS)
> ContentLength: 338
> Connection: close
> + ContentType: text/html; charset=iso-8859-1
> HeaderEnd: CRLF
> - payload: HttpContentType = text/html; charset=iso-8859-1
> HtmlElement:
> HtmlElement:
>
> HtmlElement:
> HtmlElement:
>
> HtmlElement: 404 Not Found
> HtmlElement:
>
> HtmlElement:
> HtmlElement:
>
> HtmlElement: Not Found
> HtmlElement:
>
> HtmlElement: The requested URL
> /conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
> server.
> HtmlElement:
>
> HtmlElement:
>
> HtmlElement: Apache/2.2.15 (CentOS) Server at
> n2.netalyzr.icsi.berkeley.edu Port 80
> HtmlElement:
>
> HtmlElement:
> HtmlElement:
>
> I made a Microsoft Network monitor dump of one netalyzr session on my
> Windows machine (the one I run the netalyzr test from). As far as I
> know, the capture format is readable by many analyzer tools. I included
> frames from firefox.exe and java.exe. You can download it from here:
>
> http://www.wombaz.de/files-to-transfer/netalyzr.cap
>
> Tschau
> Alex
> _______________________________________________
> Netalyzr mailing list
> Netalyzr at mailman.ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20121219/9c95f241/attachment.html
From whkrems at gmail.com Tue Dec 18 21:11:37 2012
From: whkrems at gmail.com (William Krems)
Date: Tue, 18 Dec 2012 23:11:37 -0600
Subject: [Netalyzr] intranet proxy detection gets web server instead of
proxy
In-Reply-To:
References: <50C7349C.3040707@wombaz.de> <50C854B7.3060208@icir.org>
<50CF1CB1.2070101@wombaz.de>
Message-ID:
Same here 2nd one I received
On Tue, Dec 18, 2012 at 11:06 PM, Eric Herrington <
ericdherringtonjr at gmail.com> wrote:
> I believe you are sending this to the wrong person.
>
>
> On Mon, Dec 17, 2012 at 8:22 AM, Alex Woick wrote:
>
>> Christian Kreibich schrieb am 12.12.2012 10:56:
>> > We have the header information in the session transcript, so let us take
>> > a look at what's going on. In the meantime it would be helpful if you
>> > could tell us (e.g. via a tcpdump) what's the content we retrieve from
>> > your webserver. I suppose it's a 404 of some sort?
>> Yes, exactly. Apache acts as if the proxy request is a normal request to
>> the local web server.
>>
>> Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
>> + Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
>> Packet ID = 9106, Total IP Length = 467
>> + Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
>> Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
>> = 65536
>> - Http: Request, GET
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>> Command: GET
>> - URI:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>> Location:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>> ProtocolVersion: HTTP/1.1
>> Host: n2.netalyzr.icsi.berkeley.edu:80
>> UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
>> Gecko/20100101 Firefox/17.0
>> Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: de,en;q=0.5
>> Accept-Encoding: gzip, deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Connection: close
>> HeaderEnd: CRLF
>>
>> Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
>> + Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
>> Packet ID = 18040, Total IP Length = 558
>> + Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
>> Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
>> = 15680
>> - Http: Response, HTTP/1.1, Status: Not found, URL:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>> ProtocolVersion: HTTP/1.1
>> StatusCode: 404, Not found
>> Reason: Not Found
>> Date: Mon, 17 Dec 2012 13:08:55 GMT
>> Server: Apache/2.2.15 (CentOS)
>> ContentLength: 338
>> Connection: close
>> + ContentType: text/html; charset=iso-8859-1
>> HeaderEnd: CRLF
>> - payload: HttpContentType = text/html; charset=iso-8859-1
>> HtmlElement:
>> HtmlElement:
>>
>> HtmlElement:
>> HtmlElement:
>>
>> HtmlElement: 404 Not Found
>> HtmlElement:
>>
>> HtmlElement:
>> HtmlElement:
>>
>> HtmlElement: Not Found
>> HtmlElement:
>>
>> HtmlElement: The requested URL
>> /conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
>> server.
>> HtmlElement:
>>
>> HtmlElement:
>>
>> HtmlElement: Apache/2.2.15 (CentOS) Server at
>> n2.netalyzr.icsi.berkeley.edu Port 80
>> HtmlElement:
>>
>> HtmlElement:
>> HtmlElement:
>>
>> I made a Microsoft Network monitor dump of one netalyzr session on my
>> Windows machine (the one I run the netalyzr test from). As far as I
>> know, the capture format is readable by many analyzer tools. I included
>> frames from firefox.exe and java.exe. You can download it from here:
>>
>> http://www.wombaz.de/files-to-transfer/netalyzr.cap
>>
>> Tschau
>> Alex
>> _______________________________________________
>> Netalyzr mailing list
>> Netalyzr at mailman.ICSI.Berkeley.EDU
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>>
>
>
> _______________________________________________
> Netalyzr mailing list
> Netalyzr at mailman.ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20121218/20255485/attachment.html