I am trying to use wireshark to debug some network traffic between my machine and a remote mysql server. I downloaded mysql_complete.pcap file and when I open it up in wireshark it shows as:
I also tried mysql-ssl.pcapng and it shows up as:
but the communication between my machine and the remote mysql server is showing up as a cryptic ESP protocol:
Could anyone explain why and what can I do to inspect the traces as understandable MySQL
This happened as the two machines were communicating over a secure VPN. I don't know if there is a way to convert the ESP messages into MySQL
This is a little late. As mentioned by #morpheus, it appears that there is VPN here. So to capture the traffic in clear text, you should not select the standard network interface to sniff on, you can sniff on the VPN interface.
Related
I am using MySQL workbench on windows, which I want to connect to a Node-Red running on the IBM cloud. Since I don't run them on the same server the host 127.0.0.1 and port 3306 does not seem to work. What permissions should I give?
I'm going to make a LOT of assumptions here, because there really isn't enough information in your question.
First assumption, by "running on IBM" you mean that Node-RED is running on the IBM Cloud hosting service.
The short answer is you can not do what you want.
The longer version is that you probably could actually make this work but doing it is a REALLY bad idea.
Second assumption, you are doing this from home (even if you are doing it from a office location the same problems are likely to apply). This means you are connected to a local LAN using RFC 1918 address range (e.g. 192.168.0.x), this means you are behind a router that is performing NAT (Network Address Translation). This means you are going to need to set up portforwarding on the router so that when traffic arrives at the router it will send it on to your Windows machine. How you do this will depend on your router.
Next problem, your broadband probably doesn't have a static IP address which means it will change every time your connection drops. There are work arounds for this using things like Dynamic DNS. But that's too complicated to get into here.
Assuming you get all of that sorted out you still have the problem that you have now exposed your mysql database to the internet, so you need to make sure you have enabled all the right security measures to prevent people logging in and at best seeing all your data.
There are 2 much better solutions to this
Run Node-RED on the same machine or at least on the same local network as the database.
Use one of IBM Clouds hosted database solutions, these are a lot easier to connect to a IBM Cloud instance of Node-RED.
If you do not want to open ports to your network I recommend using a free MYSQL remote server
A simple website is https://remotemysql.com
Just take the screenshot of the credentials of your database after registration.
Keep in mind if your database is empty it will get deleted after some time.
I have been looking around to see if there is some simple, stand-alone(ish) agent/server setup that would allow a ping to be launched from a host with an agent on it. When I say "ping," I mean via icmp echo and/or tcp port check. I have Windows, Linux, and AIX systems that would get such an agent.
I would like to set up a central server with authentication that can issue pings from any device that has one of these agents. The primary use would be VPN testing, so that traffic can be initiated from a device that I don't necessarily have access to.
It seems that some monitoring software has this (e.g., Zabbix) but I don't want to go through the pain of installing a whole big piece of software like that just to get this functionality.
Almost all our AIX and Linux systems have perl installed, so that could be a nice option if I had to write my own. I would rather find something "tried-and-true" though...
I didn't realize that we already had SaltStack installed on almost all our servers (I'm a network guy, not a server guy). Once I talked to one of the server administrators, he showed me how this could be done using Salt.
Can TCPDump and TCPReplay be used to record(tcpdump) network traffic coming in to a application server/webserver/queue application etc., and then replayed using the dump on TCPReplay?
Let's say I setup a apache server and use TCPDump to capture the entire network traffic and dump it to a file. Now I run apache in a different machine and want to replay the traffic to this new apache server using the file. How can I achieve this?
I especially want to understand how TCPReplay would work in such a scenario. i.e. how would syn/ack responses work for TCP. How would a new a connection etc. be initiated?
Fred is right. Also, this question is answered in the Tcpreplay FAQ: http://tcpreplay.synfin.net/wiki/FAQ#Doestcpreplaysupportsendingtraffictoaserver
No, you cannot use Tcpreplay to replay traffic to a server. TCP sessions have random sequence numbers, and are fully stateful. Replaying previously recorded TCP traffic will be ignored by a server.
I have a testapp consisting of an HTML5/WebSocket client and an HTTP/WS server. Both servers are in C#; the HTTP server is my own simple thing and the WS server is also homebrew based on concepts from http://nugget.codeplex.com/. HTTP server is listening on 0.0.0.0:5959 and WS server on 0.0.0.0:5960 (accept connections from any client, but on different ports).
My index.html includes some JavaScript that opens a WebSocket to 'ws://'+document.location.hostname+':5960/' (that is, to the same IP address that the webpage came from, but on port 5960). The WS server sends sample data every 100ms. All in all, it's a pretty straightforward demo.
I'm using Chrome 12.0 on Windows7.
I've found that the HTTP server works from any client, either a browser on my machine pointed to 127.0.0.1:5959 or localhost:5959, AND it works when any machine (mine or a remote machine... "remote" being a different PC on my desk :) hits my server machine's work-internal 10-net address 10.122.0.159:5959. Everything works as expected in HTTP land.
However, the WebSocket only works on 127.0.0.1 and localhost; remote machines can successfully fetch HTML from 10.122.0.159:5959 but the WebSocket will NOT connect to 10.122.0.159:5960. In fact, when I point my local browser to it's own 10-net address (10.122.0.159:5959) I get the same result - HTML loads but WebSocket does not connect.
Any ideas as to why this might be happening?
Does CORS require that the WS be using the same port as the HTTP request originated from? If so, is there a special exception to the rule for 127.0.0.1?
Many thanks,
-Dave
Update
It seems to be caused by a proxy server blocking ws:// requests. Our company employs a proxy server for content filtering and all the usual stuff, and our browsers are configured to use it.Chrome uses IE's proxy settings, and IE's default settings are for localhost to not use a proxy server. When I check the box to have local connections also use the proxy server, my ws:// requests to localhost get blocked. Conversely, when I uncheck the "use proxy server" box my server does rx the WS request. Similarly with the remote machine, if I turn off the proxy on the remote machine my server does rx the ws:// request.
So it's a proxy thing, not a CORS or socket thing, and now I'm off to explore proxy settings with our IT folks.
There is no WebSocket limitation on cross-origin except what is governed by the CORS security in the handshake.
It sounds like something is wrong with your WebSocket server and it is only listening on localhost for connections. I would add some debug output to the OnClientConnect routine in Nugget (WebSocketServer.cs) so you can see when socket connections happen. If you really think it isn't a problem with the server then I would suggest using wireshark and comparing the localhost connection to the remote connection.
Also, if you are using the SilverLight WebSocket prototype (README) in IE 9, then you are restricted to ports 4502-4534 for WebSocket connections. It's possible that for localhost this restriction is lifted.
It is/was indeed a proxy thing.
Rather than asking our IT folks to make changes (good luck with that, eh?) I simply turned off proxy for 10.122.0.159 ([Howto for IE/Chrome][1]). I briefly experimented with turning it off for the ws:// protocol but couldn't get it to work, so for now just opening that one IP address does the trick.
A process is connecting to a certain ip or domain, but I do not know what it is. The process can't connect to the server. How do I find and change it?
TCPView and netstat work best for connections already established, which isn't the original poster's position.
A better tool for this task is a packet sniffer, which can observe the connection attempt. I recommend Wireshark, which is available for all major platforms.
Details:
Install, then start Wireshark
Press Ctrl-K to start capturing
Select the network interface that you expect the program to use
Type "tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn" in the Capture Filter box (no quotes)
Start the capture, go make your program try to connect, and then stop the capture.
If you do the last step fast enough on a machine without a lot of other network activity, you will have only one captured packet. Otherwise, you'll have to dig through a list to find the one you want. This packet will show the TCP port the program is trying to use.
Type netstat at the cmd prompt to see what ports are being used by active processes. Aside from that, you can't change the port being used by the proc to connect (unless you built the app obviously)
TCPView is a nice little utility that will show you all the open connections and endpoints on the local machine.
If the program is connecting using a DNS name (e.g., example.com), you can use the hosts file (c:\windows\system32\drivers\etc\hosts) to make that name map to a different IP address.
If you mean redirect the connection programmatically, that is a lot more complicated. You're not writing malware, are you?