Author Topic: Capturing HTTP traffic from a specific program / port  (Read 474 times)

0 Members and 1 Guest are viewing this topic.

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 7403
  • Country: us
    • SiliconValleyGarage
Capturing HTTP traffic from a specific program / port
« on: April 21, 2020, 01:27:01 pm »
I've tried using wireshark , but i can't quite get it to where i want to be.

Problem 1 :
I want to monitor 1 specific program talking to 1 specific port to one specific address.
For some reason i keep seeing other traffic to the same machine ( other ports ) ,error packets, handshake packets, ping packets etc ...
I am only interested in the one port.

i set up a capture filter:  HOST 192.168.1.14 AND PORT 9780

i still see SMB2 , TCP , ICMP , DNS , ARP and other stuff. what am i doing wrong ? i am only interested in HTTP traffic.

Problem 2 : if a message is longer than an ethernet frame it is spread across multiple 'messages'. i'd like to see the entire message as 1 view. now it gives me  a ton of 'continuation' packets.
it would be nice to see something like

outgoing 1
   - packet 1
   - packet 2
incoming 1
   - packet 1
   - packet 2
   - ......
   - packet 329
outgoing 2

So it is easier to find when new messages start.

I am trying to trace the communication (SOAP / XML over HTTP) between  client and host to find out the command set.

Right now there is too much 'noise' in the trace.
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline eliocor

  • Supporter
  • ****
  • Posts: 421
  • Country: it
    • rhodiatoce
Re: Capturing HTTP traffic from a specific program / port
« Reply #1 on: April 21, 2020, 04:48:21 pm »
maybe (using Wireshark filter):
Code: [Select]
tcp.port==9780 and ip.addr==192.168.1.14
should filter correctly your packets.
 

Online MarkL

  • Supporter
  • ****
  • Posts: 1649
  • Country: us
Re: Capturing HTTP traffic from a specific program / port
« Reply #2 on: April 21, 2020, 05:06:31 pm »
On problem 1:  What "set up" did you do for the capture filter?  If you only defined it, it also needs to be enabled on your Ethernet interface.

On my version of Wireshark, it doesn't like upper case for capture filters, but it does print out an error.  Just a thought.


On problem 2: You could try "Analyze-->Follow TCP Stream" to put the input and output bytes back together for a specific stream.

You may also find some of the choices under "Statistics" to be useful, such as "Conversations".
 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 7403
  • Country: us
    • SiliconValleyGarage
Re: Capturing HTTP traffic from a specific program / port
« Reply #3 on: April 21, 2020, 05:41:02 pm »
On problem 1:  What "set up" did you do for the capture filter?  If you only defined it, it also needs to be enabled on your Ethernet interface.

It is enabled for the interface.
I only see traffic to and from port 9780 but there are various kinds of traffic.
I m only interested in http traffic.

Quote
On my version of Wireshark, it doesn't like upper case for capture filters, but it does print out an error.  Just a thought.

correct i use lowercase.

Quote
On problem 2: You could try "Analyze-->Follow TCP Stream" to put the input and output bytes back together for a specific stream.
That works but the problem is finding where one stream stops and another begins.

There are hundreds of lines for one 'message' so i would like to see the packets 'grouped'
Now it is just  a list of packets.
you have to scroll to find out when the next 'message begins'.

This thing is conversation between a front-end and a database backend. The messages can be enormous.

wireshark properly follows the conversation but only for one outgoing , and the answer. The problem is finding an easy way to scroll to the next 'conversation'



You may also find some of the choices under "Statistics" to be useful, such as "Conversations".
[/quote]
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Online gmb42

  • Regular Contributor
  • *
  • Posts: 187
  • Country: gb
Re: Capturing HTTP traffic from a specific program / port
« Reply #4 on: April 22, 2020, 06:00:12 pm »
I've tried using wireshark , but i can't quite get it to where i want to be.

Problem 1 :
I want to monitor 1 specific program talking to 1 specific port to one specific address.
For some reason i keep seeing other traffic to the same machine ( other ports ) ,error packets, handshake packets, ping packets etc ...
I am only interested in the one port.

i set up a capture filter:  HOST 192.168.1.14 AND PORT 9780

i still see SMB2 , TCP , ICMP , DNS , ARP and other stuff. what am i doing wrong ? i am only interested in HTTP traffic.

Apart from the casing as noted elsewhere, that's a valid capture filter, just a thought is the IP address shown the target machine and not the local machine?  The port clause should still be limiting the capture though.

Note that the specified filter, indeed the BPF engine used for capture filtering, says nothing about HTTP, only that the traffic must have an IPv4 header and in that header the source or destination address must have that IP and that the traffic must have a TCP\UDP header and in that header the source or destination port must have that port number.

Can you share a capture file?

Problem 2 : if a message is longer than an ethernet frame it is spread across multiple 'messages'. i'd like to see the entire message as 1 view. now it gives me  a ton of 'continuation' packets.
it would be nice to see something like

outgoing 1
   - packet 1
   - packet 2
incoming 1
   - packet 1
   - packet 2
   - ......
   - packet 329
outgoing 2

So it is easier to find when new messages start.

I am trying to trace the communication (SOAP / XML over HTTP) between  client and host to find out the command set.

Right now there is too much 'noise' in the trace.

Wireshark's UI is very much frame orientated, so when you have application protocols that send bigger messages that span multiple transport segments, you will see the individual segments (e.g. HTTP continuations).  You can clear out the noise by applying a display filter to limit it to only your highest level supported protocol, i.e. "http" in this case.

You can also use the File -> Export Objects -> HTTP ... option to export each SOAP\XML request or response to a separate file.
 

Offline Tony_G

  • Frequent Contributor
  • **
  • Posts: 623
  • Country: us
  • Checkout my old test gear channel (link in sig)
    • TGSoapbox
Re: Capturing HTTP traffic from a specific program / port
« Reply #5 on: April 22, 2020, 06:35:56 pm »
Have you loooked at Fiddler? https://www.telerik.com/fiddler

We used this extensively at MS for doing exactly this.

TonyG

Offline 1xrtt

  • Regular Contributor
  • *
  • Posts: 64
  • Country: br
Re: Capturing HTTP traffic from a specific program / port
« Reply #6 on: April 22, 2020, 07:45:39 pm »
maybe (using Wireshark filter):
Code: [Select]
tcp.port==9780 and ip.addr==192.168.1.14
should filter correctly your packets.

I´m using Wireshark version 3.0.x here and it does not accept capture filters with ALL CAPS. Try using "host 192.168.1.14 and port 9780"

However, the display filter above should work as is. I usually don´t use capture filters, as sometimes I may want to look into other traffic that give clues to a problem (like ICMP unreachable packets, for example), so I would suggest to clear all capture filters and try using display filters, first.
If the traffic volume is too high, then you may use a capture filter to reduce it.

Sometimes I use fiddler, but for traffic analysis at packet level, nothing really beats Wireshark.

 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 7403
  • Country: us
    • SiliconValleyGarage
Re: Capturing HTTP traffic from a specific program / port
« Reply #7 on: April 23, 2020, 01:16:22 pm »
Have you loooked at Fiddler? https://www.telerik.com/fiddler

We used this extensively at MS for doing exactly this.

TonyG
That won't work. This system runs on a closed network (no internet access) so most likely it can't route the packets from my machine , over the internet,  to telerik's machines to 'sniff' , back into my network to throw it on the VPN to the server ...
Even if it would succeed in finding a way .. i don't want the data to sniffed externally. Wireshark stays on my side of the fence...

Same reason i won't share traces from wireshark ...

If you must know what i am trying to do : sniff the traffic between Altium Designer and the Altium Vault server to learn the command syntax for certain operations so i can drive those from a script.
Like :

- elevate the release status for object x from 'new' to 'prototype'
- for latest_release of (object 'x') , set the value of parameter 'z' to 'something'

you can do all those things through the UI , but not through their exposed API. However, since the Ui can do it there must be a SOAP command to execute it. All traffic between the client and the server is going through SOAP / XML. Only the footprints and symbols are binary blobs , but i am not manipulating those.
I want to find a way to bulk upload 'textual' data into the tables so i can shoot pricing information , stock levels, compliance flags etc from a script.
Now i have to do this using copy-paste operations and i can spend days updating hundreds of parts ... if i can script this it would take seconds. i can make a command file the script would execute.









Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Online HwAoRrDk

  • Frequent Contributor
  • **
  • Posts: 733
  • Country: gb
Re: Capturing HTTP traffic from a specific program / port
« Reply #8 on: April 23, 2020, 08:52:37 pm »
That won't work. This system runs on a closed network (no internet access) so most likely it can't route the packets from my machine , over the internet,  to telerik's machines to 'sniff' , back into my network to throw it on the VPN to the server ...

Fiddler doesn't work like that. When they say "proxy server", what they mean is that the Fiddler software (that you install locally) acts as an HTTP proxy server that in addition to forwarding the traffic, captures and allows you to 'fiddle' with the data (e.g. modify and replay a request). Works with HTTPS traffic too if you're able to install a 'fake' secure root certificate so that Fiddler can impersonate the remote server.

If you're able to make Altium route all HTTP traffic through a user-defined proxy server, then Fiddler is an option.
 
The following users thanked this post: free_electron

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 7403
  • Country: us
    • SiliconValleyGarage
Re: Capturing HTTP traffic from a specific program / port
« Reply #9 on: April 24, 2020, 11:40:16 pm »
That won't work. This system runs on a closed network (no internet access) so most likely it can't route the packets from my machine , over the internet,  to telerik's machines to 'sniff' , back into my network to throw it on the VPN to the server ...

Fiddler doesn't work like that. When they say "proxy server", what they mean is that the Fiddler software (that you install locally) acts as an HTTP proxy server that in addition to forwarding the traffic, captures and allows you to 'fiddle' with the data (e.g. modify and replay a request). Works with HTTPS traffic too if you're able to install a 'fake' secure root certificate so that Fiddler can impersonate the remote server.

If you're able to make Altium route all HTTP traffic through a user-defined proxy server, then Fiddler is an option.

ok then. i thought this was one of those 'web' services. there are a number of service providers out there that do analytics and packet inspection. but it involves routing the traffic over their machines
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline cdev

  • Super Contributor
  • ***
  • Posts: 5453
  • Country: 00
Re: Capturing HTTP traffic from a specific program / port
« Reply #10 on: May 05, 2020, 03:55:31 pm »
There are a number of web app debugging tools that you run locally which act as a proxy and can allow you to debug HTTPS traffic. As stated elsewhere you need it to use the appropriate certificates.

Its a PITA but it gives you back the sniffing abilities taken by the switch to https. If I were you I would turn off web sockets while you do this.
"What the large print giveth, the small print taketh away."
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf