sfk tcpdump problem with host name

Frank
2012-05-11
2013-01-06
  • Frank
    Frank
    2012-05-11

    This command works
    >sfk tcpdump -flat 9000 -forward home.comcast.net:80 -timeout 2000 | tee >log.txt
    but the hostname is not the one that I am communicating with.

    This
    >sfk tcpdump -flat 9000 -forward home.comcast.net/~dyscdbc:80 -timeout 2000 | tee >log.txt
    shows the address I actually need to reach  but sfk generates
    >>error: cannot get host: home.comcast.net/~dyscdbc

    I tried adding a trailing slash  and encoding the tilde  and then both.  Same error every time.

    Am I doing something wrong?
    Or is there a work-around?

     
  • Frank
    Frank
    2012-05-11

    The string "67e" in the URL given above is actually "%7e".
    IOW  I replaced "/~dyscdbc" with "/%7edyscdbc".

     
  • stahlworks
    stahlworks
    2012-05-11

    > > sfk tcpdump -flat 9000 -forward home.comcast.net:80
    > > but the hostname is not the one that I am communicating with.

    By hostname you probably mean the Http header field:

    > > Host: localhost:9000

    which is produced by your web browser, and passed through SFK
    to the target machine. It is possible that this produces
    problems with virtual host resolving on that target machine.

    The machine may try to resolve a document root for web pages
    by that Host header, and as "localhost" is unknown,
    you may end up only with an error page.

    > > sfk tcpdump -flat 9000 -forward home.comcast.net/~dyscdbc:80

    And this is not at all allowed. If SFK tcpdump gets a phrase "a:b"
    then it thinks "a" is a hostname, in your case "home.comcast.net/~dyscdbc" -
    but this is a mixture of a hostname and a path.

    To summarize, you must send HTTP requests to SFK
    containing a correct "Host:" header field.
    This can be done by entering SFK as a proxy in your web browser.

    In Firefox, open options/options/network/settings, set
    manual proxy configuration, set http proxy "localhost" port 9000.

    Then type http://home.comcast.net/~dyscdbc within Firefox,
    and it should send the request to SFK with correct Host: header.

     
  • Frank
    Frank
    2012-05-11

    Thanks for you reply.

    I fully understand the proxy setup - and it works fine in a browser.

    I am trying to work with a WebDAV client, however, and addresses of the form
        home.comcast.net/~dyscdbc
    are normal server names in the context of FrontPage extensions.

    I will post again when I have a better packet sniffer and can show you what tcpdump needs to pass back and forth.  At the moment I don't actually know the complete details myself, but I can tell you that when I open the site mentioned above in SharePoint Designer 2007. sfk catches no traffic at all.  If I navigate to the same site in a browser, however, sfk intercepts and displays all traffic to/from that hostname .

     
  • Frank
    Frank
    2012-05-11

    OK. now I have a better idea of what is happening.  And before I go on, a big "THANK YOU!" .

    I couldn't find a button to add a file, so I have appended a captured conversation below.

    One of my symptoms appears to be the result of my not understanding how sfk is invoked.

    When I put a site name in the sfk command line then navigate to localhost:9000 in any browser, sfk is invoked and captures HTTP traffic to and from that host as expected.

    SharePoint Designer 2007 doesn't work that way.

    I had to configure SPD internally to use a proxy  - and I wouldn't have tumbled to the fact that I might have to do that if you hadn't made the detailed comment about Firefox.  Thank you!!

    When I had done that, all traffic started going through sfk   but when stdout from its commandlne went on to tee; nothing appeared on the screen.  That made me think that it wasn't working, but  my log file was created.

    Basically my sfk problem is solved.  I am a little puzzled as to why I'm not  getting the display I expected, but the log file is  more useful anyway.

    Now that I think of it, I have decided not to post the entire captured text in a public forum.  In the very unlikely event that you would like to see the rest of it, I can email it to you.

    === partial dump follows
    waiting on port 9000 for connections, to forward to home.comcast.net:80. timeout is 2000 milliseconds.
          

    GET http://home.comcast.net/_vti_inf.html HTTP/1.0
    Date: Fri, 11 May 2012 21:12:12 GMT
    MIME-Version: 1.0
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MS FrontPage 12.0)
    Host: home.comcast.net
    Accept-Language: en-us, en;q=0.1
    Accept: auth/sicily
    Content-Length: 0
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Cookie: s_vi=v1|26EA59BF85149187-4000016A60032D92

    HTTP/1.1 200 OK
    Connection: close
    Date: Fri, 11 May 2012 21:12:17 GMT
    Server: Apache
    Last-Modified: Fri, 15 Jun 2007 18:08:23 GMT
    ETag: "888450-60e-4672d597"
    Accept-Ranges: bytes
    Content-Type: text/html

    <html>

    <head>
    <meta http-equiv="Content-Type"
    content="text/html; charset=iso-8859-1">
    <title> FrontPage Configuration Information </title>
    </head>

    <body>
    <!- _vti_inf.html version 0.100>
    <!-
    This file contains important information used by the FrontPage client
    (the FrontPage Explorer and FrontPage Editor) to communicate with the
    FrontPage server extensions installed on this web server.

    The values below are automatically set by FrontPage at installation.  Normally, you do not need to modify these values, but in case
    you do, the parameters are as follows:

    'FPShtmlScriptUrl', 'FPAuthorScriptUrl', and 'FPAdminScriptUrl' specify
    the relative urls for the scripts that FrontPage uses for remote
    authoring.  These values should not be changed.

    'FPVersion' identifies the version of the FrontPage Server Extensions
    installed, and should not be changed.
    -><!- FrontPage Configuration Information
    FPNoRootWeb="1"
    ->
    <p><!-webbot bot="PurpleText"
    preview="This page is placed into the root directory of your FrontPage web when FrontPage is installed.  It contains information used by the FrontPage client to communicate with the FrontPage server extensions installed on this web server.  You should not delete this file."
    -></p>

    <h1>FrontPage Configuration Information </h1>

    <p>In the HTML comments, this page contains configuration
    information that the FrontPage Explorer and FrontPage Editor need to
    communicate with the FrontPage server extensions installed on
    this web server. Do not delete this page.</p>
    </body>
    </html>

          

    POST http://home.comcast.net/~dyscdbc/_vti_bin/shtml.exe/_vti_rpc HTTP/1.0
    Date: Fri, 11 May 2012 21:12:19 GMT
    MIME-Version: 1.0
    User-Agent: MSFrontPage/12.0
    Host: home.comcast.net
    Accept-Language: en-us, en;q=0.1
    Accept: auth/sicily
    Content-Length: 42
    Content-Type: application/x-www-form-urlencoded
    X-Vermeer-Content-Type: application/x-www-form-urlencoded
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Cookie: s_vi=v1|26EA59BF85149187-4000016A60032D92

    method=server+version%3a12%2e0%2e0%2e6500

    HTTP/1.1 200 OK
    Connection: close
    Date: Fri, 11 May 2012 21:12:22 GMT
    Server: Apache
    Content-Type: application/x-vermeer-rpc

    <html><head><title>vermeer RPC packet</title></head>
    <body>
    <p>method=server version:5.0.2.2634
    <p>server version=
    <ul>
    <li>major ver=5
    <li>minor ver=0
    <li>phase ver=2
    <li>ver incr=2634
    </ul>
    <p>source control=1
    </body>
    </html>

          

    POST http://home.comcast.net/~dyscdbc/_vti_bin/_vti_aut/author.exe HTTP/1.0
    Date: Fri, 11 May 2012 21:12:24 GMT
    MIME-Version: 1.0
    User-Agent: MSFrontPage/12.0
    Host: home.comcast.net
    Accept-Language: en-us, en;q=0.1
    Accept: auth/sicily
    Content-Length: 68
    Content-Type: application/x-www-form-urlencoded
    X-Vermeer-Content-Type: application/x-www-form-urlencoded
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Cookie: s_vi=v1|26EA59BF85149187-4000016A60032D92

    method=open+service%3a5%2e0%2e2%2e2634&service%5fname=%2f%7edyscdbc

    HTTP/1.1 401 Authorization Required
    Connection: close
    Date: Fri, 11 May 2012 21:12:27 GMT
    Server: Apache
    WWW-Authenticate: Basic realm="home.comcast.net"
    Content-Type: text/html; charset=iso-8859-1

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <HTML><HEAD>
    <TITLE>401 Authorization Required</TITLE>
    </HEAD><BODY>
    <H1>Authorization Required</H1>
    This server could not verify that you
    are authorized to access the document
    requested.  Either you supplied the wrong
    credentials (e.g., bad password), or your
    browser doesn't understand how to supply
    the credentials required.<P>
    </BODY></HTML>

          

    POST http://home.comcast.net/~dyscdbc/_vti_bin/_vti_aut/author.exe HTTP/1.0
    Date: Fri, 11 May 2012 21:12:24 GMT
    MIME-Version: 1.0
    User-Agent: MSFrontPage/12.0
    Host: home.comcast.net
    Accept-Language: en-us, en;q=0.1
    Accept: auth/sicily
    Content-Length: 68
    Content-Type: application/x-www-form-urlencoded
    X-Vermeer-Content-Type: application/x-www-form-urlencoded
    Proxy-Connection: Keep-Alive
    Pragma: no-cache
    Cookie: s_vi=v1|26EA59BF85149187-4000016A60032D92
    Authorization: Basic
    === partial dump ends