Packet Capture explained - finding those hard to spot URLs
July 18, 2011 • Customer Services
Synopsis
Packet Capture explained - finding those hard to spot URLs
Article
As of the 1.5.x release, CensorNet has a feature called "Capture HTTP Transactions" which is found under the System -> Maintenance menu. If you are wondering what this feature is for, and how to use it, then read on.
You will need to download and install a copy of Wireshark in order to use the "Capture HTTP Transactions" feature. Wireshark can be downloaded here: http://www.wireshark.org/download.html. Wireshark is a network protocol analyser and it can be used to decipher communications between a web browser and the CensorNet proxy.
EXAMPLE SCENARIO
There is a problem with attachments when using Google Mail. We are trying to upload "foobar.txt" but the file upload portion of the Google Mail application uses Flash to achieve the upload and it stops at 75%. You cannot visibly see what URL is being used to post the file contents to. When uploading the file, CensorNet appears to be blocking it, but you don't know why that is.
This is where the "Capture HTTP Transactions" feature can be invaluable.
1. Go to System -> Maintenance -> Capture HTTP Transactions
2. Enter in the IP address of the computer running the Web browser you were using to upload the file.
IMPORTANT: This will capture a LOT of packets therefore it is best if you close all other Internet applications that may use the proxy before starting the capture process on the specified PC (10.0.0.5). This includes Instant Messaging and other web based applications. When you are ready, click "Start Capture".
3. Perform the action that was causing the problem on the computer specified in step 2, e.g. 10.0.0.50. Perform as few actions as possible in order to cause the problem so as to reduce the number of packets captured.
4. Return to the CensorNet control panel and click "Stop Capture". You will be prompted to download a file containing the packet data captured. Save this to your computer.
5. Now start Wireshark and open the file that you downloaded in step 4.
6. You will see all the packets captured shown in the view window. The green highlighted rows are the HTTP protocol packets. In our scenario above, we are interested in the file attachment feature which uses the POST method to send the file to the server therefore we are looking for a POST packet, e.g:-
7. Right click on the entry and choose "Follow TCP Stream". This will open the contents of the packet stream and we can see what has happened to our "foobar.txt" file, e.g:-
Scrolling down through the packet trace we can see that CensorNet has asked for authentication from the Flash applet because it is configured to do so.
A bit more investigation shows that the applet did not authentication and therefore CensorNet sent back to the applet a "Login Failed" message. Of course, all this is hidden from view in your browser however it explains why the upload is failing.
So what can we do? We have ascertained that the problem is caused by the Flash applet failing to authentication with CensorNet, that is, it fails to provide a valid username/password for your Domain Controller. The easiest option is to tell CensorNet to ignore authentication from the Flash applet. To do this, we need to identify the URL that the Flash applet is using. Scrolling back to the top of the "Follow TCP Stream" window we can find that information, e.g:-
8. We can now add "mail.google.com/mail" to the Filter Bypass list on CensorNet thus solving the problematic File Attachment issue with Google.
This is just one example of the power of the packet capture feature. It can be used to diagnose all manner of problems when connections are happening behind the scenes of your web browser.
Related articles
