Use tcpdump to analyze soap data packets

Source: Internet
Author: User
Tags microsoft iis
Tcpdump is an exceptionally powerful network packet capture and analysis tool. it has recently been pulled out. Because I am writing a WebService-related program, I think the performance of the original script is too poor. I want to rewrite it with [WebService] gSoap. This server requires authentication, but after the server responds to my authentication, the RPC call still fails, wondering if so

Tcpdump is an exceptionally powerful network packet capture and analysis tool. it has recently been pulled out. Because I am writing a WebService-related program, I think the performance of the original script is too poor. I want to rewrite it with [WebService] gSoap. This server requires authentication, but after the server responds to my authentication, the RPC call still fails. I wonder if the structure of the soap package is incorrect. Because you do not know the specific reason, you want to capture the package.

We know thatTcpdumpIn this way, the detailed content of the package you want to capture is printed. the-X option prints both hex and ASCII content, which is especially suitable for analyzing new protocols; -s0 indicates that all data packets are fully captured. if you want to filter some packets, you can change the number 0 to the maximum number of bytes of the data packets you are concerned about:

"C"> # tcpdump-X-s0 host 192.168.0.1 and tcp and port 80

If you do experiments on the local machine, such as listening on apache data packets on the local machine, you can use the parameter-I to specify the listening device:

If you want to capture too much content and do not want to print it to the standard output, you can use the-w and-r options to write it to the file and then read the analysis from the file:

$ "N"> tcpdump-"n"> w tcpdump "p">. log "n"> host 192.168.0.1
$ "N"> tcpdump-"n"> r tcpdump "p">. log

Soap is actually built on top of http, and tcpdump has parameters specially printed in the ASCII form of data packets. Therefore, we filter all data packets containing the endpoint IP address (such as 192.168.1.111) and print them out, we can intuitively see the details of soap interaction.

$ "N"> tcpdump-"n"> Ai wlan0 "o">-s0 "n"> host 192.168.1.111

For example, the following content is printed by calling Login for this authentication, which is quite intuitive and helps you understand the specific workflow of http.

[Lancer "p"> @ Poseidon "err"> ~ "Cp">] $ tcpdump-A-s0 host 192.168.1.111
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:03:51. 220047 IP 192.168.0.21.57595> 192.168.1.111.8016: S 1229105945: 1229105945 (0) win 5840
E .. "err"> <.. @. @.. c. = ......... PIB .......... h {.........
..
.........
13:03:51. 232748 IP 192.168.1.111.8016> 192.168.0.21.57595: S 476571269: 476571269 (0) ack 1229105946 win 16384
E .. @ E... z .. '..... =... p... g .. IB .... @........ d .......
............
13:03:51. 232764 IP 192.168.0.21.57595> 192.168.1.111.8016:. ack 1 win 46
E .. 4 .. @. @.. j. = ......... PIB... g .............
..
.....
13:03:51. 232819 IP 192.168.0.21.57595> 192.168.1.111.8016: P 1: 676 (675) ack 1 win 46
E ..... @. @. | .. = ......... PIB... g ....... \.....
..
... POST/esms/WebService/EsmsService. asmx HTTP/1.1
Host: 192.168.1.111: 8016
User-Agent: gSOAP/2.7.
Content-Type: text/xml; charset = utf-8
Content-Length: 451
Connection: keep-alive
SOAPAction: "http://tempuri.org/Login"
"Cp">
-ENV: Envelope "na"> xmlns: SOAP-ENV = "s"> "http://schemas.xmlsoap.org/soap/envelope/" "na"> xmlns: SOAP-ENC = "s"> "http://schemas.xmlsoap.org/soap/encoding/" "na"> xmlns: xsi = "s"> "http://www.w3.org/2001/XMLSchema-instance" "na"> xmlns: xsd = "s"> "http://www.w3.org/2001/XMLSchema" "na"> xmlns: ns1 = "s"> "http://tempuri.org/" "nt"> -ENV: Body "nt"> BJYTXY 123456
13:03:51. 250921 IP 192.168.1.111.8016> 192.168.0.21.57595: P 1: 627 (626) ack 676 win 64860
E... f. @. z ........ =... p... g .. IB ..... \.......
......
. HTTP/1.1 200 OK
Date: Wed, 12 Nov 2008 05:06:46 GMT
Server: Microsoft-Microsoft IIS/6.0
X-Powered-By: ASP. NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP. NET_SessionId = rphtdr550eung2ulhucyydao; path =/
Cache-Control: private, max-age = 0
Content-Type: text/xml; charset = utf-8
Content-Length: 333
"Cp"> 0
Analyze these data packets

First, HTTP is a reliable TCP protocol, so it must begin with three handshakes. The output format of packets captured by TCP protocol is as follows:

Src> "n"> dst: "n"> flags data "o">-seqno "n"> ack window "n"> urgent options

Their meanings are as follows:

Src> dst indicates from source address to destination address

Flag Information in the flags TCP package:

S SYN

F fin-P PUSH

R RST

. Not marked

Sequence Number of the data in the data-seqno packet

The sequence number that ack expects next time

Size of the window receiving cache

Urgent indicates whether there is an emergency pointer in the data packet

Options is an option.

Take a look at the header of the above example:

: "Mf"> 51.220047 IP "mf"> 192.168. "mf"> 0.21.> "mf"> 192.168. "mf"> 1.111.: "n"> S "o">: "o"> ("o">) win

13:03:51. 220047 capture time

IP packet type

192.168.0.21.57595 sender address and port, such as send () write ()

192.168.1.111.8016 receiver address and port, such as recv () read ()

S sends SYN synchronous signals

1229105945: 1229105945 (0) data size is 0

Windows 5840 sliding window size

However, these headers do not have much to do with the analysis of soap packets. we only pay attention to the packet content. a WebService call contains only two parts. First, a soap package is requested, and the remote server returns a soap package. the session ends. Take a closer look at the HTTP header and find that IIS is used at the remote end. it is estimated that it is a Windows2003 server :)

The rest is simple. you can check your soap package structure, parameter request, and so on against the wsdl format, and then adjust your code.

Questions in this article

For example, the problem in this article is that gSoap does not support cookies on the client by default. However, this server needs to use the Cookie of the client to complete identity authentication, so an error occurs. First, the server will give you a SessionID that requires the client to put in the Cookie, for example, the last section:

Set-"n"> Cookie: "n"> ASP. "n"> NET_SessionId = "n"> rphtdr550eung2ulhucyydao "p">; path =/

However, because the client program does not support cookies, the content of the packet that is omitted by me is the same as that of the first client request. The soap header of the request does not contain this SessionID, so even if your last Login request succeeded, the server still doesn't know you and thinks you are a stranger. So I found the problem. The code is correct. I just need to recompile gSoap and it will be OK.

Query the gSoap documentation and find that if you want the client to support Cookies, you only need to modify the header file stdsoap2.h, add a definition # defineWITH_COOKIES at the beginning, re-compile and generate the link library file. Use the-DWITH_COOKIES to re-link the programs you write. When tcpdump is used to capture packets, it is found that the identity has been successfully verified, and SessionID can be correctly provided in subsequent Login request calls, so the server considers you as a regular customer, because one more header is included in the subsequent request:

Cookie: "n"> ASP. "na"> NET_SessionId = "n"> r2hwo055nsupd54514l3bvbp "o" >;$ Domain "o" >=" 192.168.1.111"
Conclusion

If the request process you want to analyze is too long, you can use-w to write data packets to a file and then analyze them slowly. Tcpdump is an exceptionally powerful network analysis tool with many detailed rules to define. packet capture is just a piece of cake for it. For example, you can also easily use it to sniff FTP and MSN messages in the LAN, because they are transmitted in plain text: P or if network latency is found, it is used to analyze the packet traffic, it's fun to see if any worm or Trojan is active.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.