[Netalyzr] intranet proxy detection gets web server instead of proxy

Alex Woick alex at wombaz.de
Mon Dec 17 05:22:57 PST 2012


Christian Kreibich schrieb am 12.12.2012 10:56:
> We have the header information in the session transcript, so let us take
> a look at what's going on. In the meantime it would be helpful if you
> could tell us (e.g. via a tcpdump) what's the content we retrieve from
> your webserver. I suppose it's a 404 of some sort?
Yes, exactly. Apache acts as if the proxy request is a normal request to 
the local web server.

   Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP 
(IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
+ Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP, 
Packet ID = 9106, Total IP Length = 467
+ Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427, 
Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8) 
= 65536
- Http: Request, GET 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 

     Command: GET
   - URI: 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
      Location: 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 

     ProtocolVersion: HTTP/1.1
     Host:  n2.netalyzr.icsi.berkeley.edu:80
     UserAgent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) 
Gecko/20100101 Firefox/17.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Accept-Language:  de,en;q=0.5
     Accept-Encoding:  gzip, deflate
     Accept-Charset:  ISO-8859-1,utf-8;q=0.7,*;q=0.7
     Connection:  close
     HeaderEnd: CRLF

   Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP 
(IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
+ Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP, 
Packet ID = 18040, Total IP Length = 558
+ Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518, 
Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6) 
= 15680
- Http: Response, HTTP/1.1, Status: Not found, URL: 
http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 

     ProtocolVersion: HTTP/1.1
     StatusCode: 404, Not found
     Reason: Not Found
     Date:  Mon, 17 Dec 2012 13:08:55 GMT
     Server:  Apache/2.2.15 (CentOS)
     ContentLength:  338
     Connection:  close
   + ContentType:  text/html; charset=iso-8859-1
     HeaderEnd: CRLF
   - payload: HttpContentType =  text/html; charset=iso-8859-1
      HtmlElement: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      HtmlElement:
<html>
      HtmlElement: <head>
      HtmlElement:
<title>
      HtmlElement: 404 Not Found</title>
      HtmlElement:
</head>
      HtmlElement: <body>
      HtmlElement:
<h1>
      HtmlElement: Not Found</h1>
      HtmlElement:
<p>
      HtmlElement: The requested URL 
/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this 
server.</p>
      HtmlElement:
<hr>
      HtmlElement:
<address>
      HtmlElement: Apache/2.2.15 (CentOS) Server at 
n2.netalyzr.icsi.berkeley.edu Port 80</address>
      HtmlElement:
</body>
      HtmlElement: </html>
      HtmlElement:

I made a Microsoft Network monitor dump of one netalyzr session on my 
Windows machine (the one I run the netalyzr test from). As far as I 
know, the capture format is readable by many analyzer tools. I included 
frames from firefox.exe and java.exe. You can download it from here:

http://www.wombaz.de/files-to-transfer/netalyzr.cap

Tschau
Alex


More information about the Netalyzr mailing list