Human readable output from tcpdump
Posted by davidnewcomb on 13 Jun 2008 in System Admin
I had a problem with Funambol’s administration tool where the same version worked at home, but not at work. When I tried to login at work it said “Host not found or not reachable, please verify connection parameter". I verified the host was found, the route was reachable and the user name and password were correct. The error in the client (and server) log was:
12 Jun 2008 09:58 [ERROR] no SOAPAction header! AxisFault faultCode: {http://xml.apache.org/axis/}Client.NoSOAPAction faultSubcode: faultString: no SOAPAction header! faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}hostname:bigsoft.co.uk no SOAPAction header! at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222) at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129) at org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:633) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanEndElement(XMLNSDocumentScannerImpl.java:719) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(XMLDocumentFragmentScannerImpl.java:1685) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:368) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:834) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:764) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:148) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1242) at javax.xml.parsers.SAXParser.parse(SAXParser.java:375) at org.apache.axis.encoding.DeserializationContext.parse(DeserializationContext.java:227) at org.apache.axis.SOAPPart.getAsSOAPEnvelope(SOAPPart.java:696) at org.apache.axis.Message.getSOAPEnvelope(Message.java:435) at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:796) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at com.funambol.admin.util.WSTools.invoke(WSTools.java:122) at com.funambol.admin.main.BusinessDelegate.login(BusinessDelegate.java:458) at com.funambol.admin.main.SyncAdminController.startLogin(SyncAdminController.java:346) at com.funambol.admin.main.SyncAdminController$ConnectionThread.run(SyncAdminController.java:622)The administration tool uses SOAP to communicate, and the error means that the request does not have a action command in the HTTP header. Is the problem the client software? Wireshark helped with the answer. First I needed to verify that what was being sent from both locations was the same. Packet sniffing on the work and PC produced the same result:
POST /funambol/services/admin HTTP/1.0 Content-Type: text/xml; charset=utf-8 Accept: application/soap+xml, application/dime, multipart/related, text/* User-Agent: Axis/1.4 Host: bigsoft.co.uk Cache-Control: no-cache Pragma: no-cache SOAPAction: "" Content-Length: 444 Authorization: Basic ***** <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <login soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <arg0 xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">admin</arg0> </login> </soapenv:Body></soapenv:Envelope>The trace showed a SOAPAction included. The question is what does the server think we are saying? To find this out I need to see the packet arriving on the server. To do this I used a program called tcpdump which is installed by default on almost all unix machines. Running tcpdump on the machine with no parameters just gives information about connections, but I needed the contents of the packet. The special incantation to get this is:
tcpdump -lnX -s 1024 dst port ??Where: -l - Make stdout line buffered -n - Don’t convert addresses -X - Expand packet -s 1024 - Snarf snaplen bytes of data from each packet rather than the default of 68 dst port ?? - Only display packets going to port ?? This produced the output thus:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 1024 bytes 10:30:20.689632 IP work_ip.22620 > bigsoft.co.uk.webcache: S 2161710720:2161710720(0) win 512 <mss 1460> 0x0000: 4500 002c b434 0000 3806 8e73 c30c 1422 E..,.4..8..s..." 0x0010: 576a 118c 585c 1f90 80d9 1680 0000 0000 Wj..X\.......... 0x0020: 6002 0200 46bc 0000 0204 05b4 aaaa `...F......... 10:30:20.713939 IP work_ip.22620 > bigsoft.co.uk.webcache: . ack 3824537099 win 7300 0x0000: 4500 0028 b43a 4000 3806 4e71 c30c 1422 E..(.:@.8.Nq..." 0x0010: 576a 118c 585c 1f90 80d9 1681 e3f5 ce0b Wj..X\.......... 0x0020: 5010 1c84 91e3 0000 0000 aaaa aaaa P............. 10:30:20.715952 IP work_ip.22620 > bigsoft.co.uk.webcache: P 0:770(770) ack 1 win 7300 0x0000: 4500 032a b43b 4000 3806 4b6e c30c 1422 E..*.;@.8.Kn..." 0x0010: 576a 118c 585c 1f90 80d9 1681 e3f5 ce0b Wj..X\.......... 0x0020: 5018 1c84 9979 0000 504f 5354 202f 6675 P....y..POST./fu 0x0030: 6e61 6d62 6f6c 2f73 6572 7669 6365 732f nambol/services/ 0x0040: 6164 6d69 6e20 4854 5450 2f31 2e30 0d0a admin.HTTP/1.0.. 0x0050: 436f 6e74 656e 742d 5479 7065 3a20 7465 Content-Type:.te 0x0060: 7874 2f78 6d6c 3b20 6368 6172 7365 743d xt/xml;.charset= 0x0070: 7574 662d 380d 0a41 6363 6570 743a 2061 utf-8..Accept:.a 0x0080: 7070 6c69 6361 7469 6f6e 2f73 6f61 702b pplication/soap+ 0x0090: 786d 6c2c 2061 7070 6c69 6361 7469 6f6e xml,.application 0x00a0: 2f64 696d 652c 206d 756c 7469 7061 7274 /dime,.multipart 0x00b0: 2f72 656c 6174 6564 2c20 7465 7874 2f2a /related,.text/* 0x00c0: 0d0a 5573 6572 2d41 6765 6e74 3a20 4178 ..User-Agent:.Ax 0x00d0: 6973 2f31 2e34 0d0a 486f 7374 3a20 ???? is/1.4..Host:.?? 0x00e0: ???? ???? ???? ???? ???? ???? ???? ???? www.bigsoft.co.u 0x00f0: 6d65 ???? ???? ???? ???? ???? ???? ???? k??????????????? 0x0100: 3038 300d 0a43 6163 6865 2d43 6f6e 7472 ???..Cache-Contr 0x0110: 6f6c 3a20 6e6f 2d63 6163 6865 0d0a 5072 ol:.no-cache..Pr 0x0120: 6167 6d61 3a20 6e6f 2d63 6163 6865 0d0a agma:.no-cache.. 0x0130: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:. 0x0140: 3434 340d 0a41 7574 686f 7269 7a61 7469 444..Authorizati 0x0150: ???? ???? ???? ???? ???? ???? ???? ???? on:.Basic.?????? 0x0160: ???? ???? ???? ???? ???? ???? ???? ???? ??????????....<? 0x0170: 786d 6c20 7665 7273 696f 6e3d 2231 2e30 xml.version="1.0 0x0180: 2220 656e 636f 6469 6e67 3d22 5554 462d ".encoding="UTF- 0x0190: 3822 3f3e 3c73 6f61 7065 6e76 3a45 6e76 8"?><soapenv:Env 0x01a0: 656c 6f70 6520 786d 6c6e 733a 736f 6170 elope.xmlns:soap 0x01b0: 656e 763d 2268 7474 703a 2f2f 7363 6865 env="http://sche 0x01c0: 6d61 732e 786d 6c73 6f61 702e 6f72 672f mas.xmlsoap.org/ 0x01d0: 736f 6170 2f65 6e76 656c 6f70 652f 2220 soap/envelope/". 0x01e0: 786d 6c6e 733a 7873 643d 2268 7474 703a xmlns:xsd="http: 0x01f0: 2f2f 7777 772e 7733 2e6f 7267 2f32 3030 //www.w3.org/200 0x0200: 312f 584d 4c53 6368 656d 6122 2078 6d6c 1/XMLSchema".xml 0x0210: 6e73 3a78 7369 3d22 6874 7470 3a2f 2f77 ns:xsi="http://w 0x0220: 7777 2e77 332e 6f72 672f 3230 3031 2f58 ww.w3.org/2001/X 0x0230: 4d4c 5363 6865 6d61 2d69 6e73 7461 6e63 MLSchema-instanc 0x0240: 6522 3e3c 736f 6170 656e 763a 426f 6479 e"><soapenv:Body 0x0250: 3e3c 6c6f 6769 6e20 736f 6170 656e 763a ><login.soapenv: 0x0260: 656e 636f 6469 6e67 5374 796c 653d 2268 encodingStyle="h 0x0270: 7474 703a 2f2f 7363 6865 6d61 732e 786d ttp://schemas.xm 0x0280: 6c73 6f61 702e 6f72 672f 736f 6170 2f65 lsoap.org/soap/e 0x0290: 6e63 6f64 696e 672f 223e 3c61 7267 3020 ncoding/"><arg0. 0x02a0: 7873 693a 7479 7065 3d22 736f 6170 656e xsi:type="soapen 0x02b0: 633a 7374 7269 6e67 2220 786d 6c6e 733a c:string".xmlns: 0x02c0: 736f 6170 656e 633d 2268 7474 703a 2f2f soapenc="http:// 0x02d0: 7363 6865 6d61 732e 786d 6c73 6f61 702e schemas.xmlsoap. 0x02e0: 6f72 672f 736f 6170 2f65 6e63 6f64 696e org/soap/encodin 0x02f0: 672f 223e 6164 6d69 6e3c 2f61 7267 303e g/">admin</arg0> 0x0300: 3c2f 6c6f 6769 6e3e 3c2f 736f 6170 656e </login></soapen 0x0310: 763a 426f 6479 3e3c 2f73 6f61 7065 6e76 v:Body></soapenv 0x0320: 3a45 6e76 656c 6f70 653e :Envelope> 10:30:20.750956 IP work_ip.22620 > bigsoft.co.uk.webcache: . ack 810 win 7300 0x0000: 4500 0028 b457 4000 3806 4e54 c30c 1422 E..(.W@.8.NT..." 0x0010: 576a 118c 585c 1f90 80d9 1983 e3f5 d134 Wj..X\.........4 0x0020: 5010 1c84 8bb8 0000 0000 aaaa aaaa P............. 10:30:20.751148 IP work_ip.22620 > bigsoft.co.uk.webcache: F 770:770(0) ack 810 win 7300 0x0000: 4500 0028 b45a 0000 3806 8e51 c30c 1422 E..(.Z..8..Q..." 0x0010: 576a 118c 585c 1f90 80d9 1983 e3f5 d134 Wj..X\.........4 0x0020: 5011 1c84 8bb7 0000 0000 aaaa aaaa P............. 5 packets captured 5 packets received by filter 0 packets dropped by kernelThe SOAPAction header had disappeared in transit from the work location but not from the home location. The question of where it went is a mystery! A quick Google hinted at various proxy caches stripping it away - so that is my next investigation!
No feedback yet
Form is loading...