[Netalyzr] intranet proxy detection gets web server instead of proxy
Alex Woick
alex at wombaz.de
Mon Dec 17 05:22:57 PST 2012
Christian Kreibich schrieb am 12.12.2012 10:56:
> We have the header information in the session transcript, so let us take
> a look at what's going on. In the meantime it would be helpful if you
> could tell us (e.g. via a tcpdump) what's the content we retrieve from
> your webserver. I suppose it's a 404 of some sort?
Yes, exactly. Apache acts as if the proxy request is a normal request to
the local web server.
Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP
(IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
+ Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
Packet ID = 9106, Total IP Length = 467
+ Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
= 65536
- Http: Request, GET
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
Command: GET
- URI:
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
Location:
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
ProtocolVersion: HTTP/1.1
Host: n2.netalyzr.icsi.berkeley.edu:80
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
HeaderEnd: CRLF
Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP
(IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
+ Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
Packet ID = 18040, Total IP Length = 558
+ Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
= 15680
- Http: Response, HTTP/1.1, Status: Not found, URL:
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
ProtocolVersion: HTTP/1.1
StatusCode: 404, Not found
Reason: Not Found
Date: Mon, 17 Dec 2012 13:08:55 GMT
Server: Apache/2.2.15 (CentOS)
ContentLength: 338
Connection: close
+ ContentType: text/html; charset=iso-8859-1
HeaderEnd: CRLF
- payload: HttpContentType = text/html; charset=iso-8859-1
HtmlElement: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
HtmlElement:
<html>
HtmlElement: <head>
HtmlElement:
<title>
HtmlElement: 404 Not Found</title>
HtmlElement:
</head>
HtmlElement: <body>
HtmlElement:
<h1>
HtmlElement: Not Found</h1>
HtmlElement:
<p>
HtmlElement: The requested URL
/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
server.</p>
HtmlElement:
<hr>
HtmlElement:
<address>
HtmlElement: Apache/2.2.15 (CentOS) Server at
n2.netalyzr.icsi.berkeley.edu Port 80</address>
HtmlElement:
</body>
HtmlElement: </html>
HtmlElement:
I made a Microsoft Network monitor dump of one netalyzr session on my
Windows machine (the one I run the netalyzr test from). As far as I
know, the capture format is readable by many analyzer tools. I included
frames from firefox.exe and java.exe. You can download it from here:
http://www.wombaz.de/files-to-transfer/netalyzr.cap
Tschau
Alex
More information about the Netalyzr
mailing list