I'm using tshark protocol filter as I need to parse the contents of the SIP Packets.
tshark -r df32c2248fe646a6793ce9a63b124b34#0.0.0.0.pcap -O sip
I get this:
Frame 14: 553 bytes on wire (4424 bits), 553 bytes captured (4424 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 4.4.4.4 (4.4.4.4), Dst: 3.3.3.3 (3.3.3.3)
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060)
Session Initiation Protocol (200)
Status-Line: SIP/2.0 200 OK
Status-Code: 200
[Resent Packet: False]
[Request Frame: 11]
[Response Time (ms): 115]
[Release Time (ms): 115]
Message Header
Via: SIP/2.0/UDP 2.2.2.2:5060;received=3.3.3.3;branch=z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
Transport: UDP
Sent-by Address: 2.2.2.2
Sent-by port: 5060
Received: 3.3.3.3
Branch: z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
Contact: <sip:14082186500#1.1.1.1:17060>
Contact URI: sip:14082186500#1.1.1.1:17060
Contact URI User Part: 14082186500
Contact URI Host Part: 1.1.1.1
Contact URI Host Port: 17060
To: <sip:14082186500#spicyramen.ippbx.com;user=phone>;tag=83174026
SIP to address: sip:14082186500#spicyramen.ippbx.com;user=phone
SIP to address User Part: 14082186500
SIP to address Host Part: spicyramen.ippbx.com
SIP To URI parameter: user=phone
SIP to tag: 83174026
From: <sip:anonymous#sip.ie1.sipprovider.com>;tag=87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
SIP from address: sip:anonymous#sip.ie1.sipprovider.com
SIP from address User Part: anonymous
SIP from address Host Part: sip.ie1.sipprovider.com
SIP from tag: 87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
Call-ID: df32c2248fe646a6793ce9a63b124b34#0.0.0.0
CSeq: 44365 BYE
Sequence Number: 44365
Method: BYE
User-Agent: 3CXPhoneSystem 14.0.44198.522 (44097)
Content-Length: 0
As you can see output is not collapse. I want to see something like this:
Frame 14: 553 bytes on wire (4424 bits), 553 bytes captured (4424 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 4.4.4.4 (4.4.4.4), Dst: 3.3.3.3 (3.3.3.3)
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060)
Session Initiation Protocol (200)
Status-Line: SIP/2.0 200 OK
Message Header
Via: SIP/2.0/UDP 2.2.2.2:5060;received=3.3.3.3;branch=z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
Contact: <sip:14082186500#1.1.1.1:17060>
To: <sip:14082186500#spicyramen.ippbx.com;user=phone>;tag=83174026
From: <sip:anonymous#sip.ie1.sipprovider.com>;tag=87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
Call-ID: df32c2248fe646a6793ce9a63b124b34#0.0.0.0
CSeq: 44365 BYE
User-Agent: 3CXPhoneSystem 14.0.44198.522 (44097)
Content-Length: 0
WiresharkYou can use Wireshark to do the job.
Apply a display filter:
sip
Go to the the Packet Details pane.
Expand "Session Initiation Protocol"
Expand Request-Line, Message Header and Message Body* (do not Expand Subtrees)
Go to File - Export - Export Packet Dissections... - As "Plain Text" File...
Packet Format section: select "Packet Summery Line" and "Packet Details: As Displayed"
Add a file name and save the file
*Note
I have used sample file: aaa.pcap
Message Body: see packet 223
TShark
You can use -T Fields and add all the fields you need.
For example:
tshark -r aaa.pcap -Y sip -E header=y -E separator="?" -T fields -e frame.number -e sip.Request-Line -e sip.r-uri -e sip.Via -e sip.From -e sip.To -e sip.Call-ID -e sip.Contact -e sip.Expires -e sip.CSeq -e sip.User-Agent -e sip.Content-Length > aaa.csv
Related
When I add a custom search such as abc to /etc/resolv.conf on the node, the full service.namespace.svc.cluster.local domain name cannot be resolved inside the pod。
This is the content of /etc/resolv.conf inside my pod
nameserver 100.96.0.10
search system.svc.cluster.local svc.cluster.local cluster.local abc
options ndots:5
When I resolve short domain names such as apigateway. It can be resolved normally
bash-5.1# nslookup apigateway
Server: 100.96.0.10
Address: 100.96.0.10#53
Name: apigateway.system.svc.cluster.local
Address: 100.96.101.242
or something like this
bash-5.1# nslookup apigateway.system
Server: 100.96.0.10
Address: 100.96.0.10#53
Name: apigateway.system.svc.cluster.local
Address: 100.96.101.242
bash-5.1# nslookup apigateway.system.svc
Server: 100.96.0.10
Address: 100.96.0.10#53
Name: apigateway.system.svc.cluster.local
Address: 100.96.101.242
But when I add cluster.local it can't resolve
bash-5.1# nslookup apigateway.system.svc.cluster.local
Server: 100.96.0.10
Address: 100.96.0.10#53
*** Can't find apigateway.system.svc.cluster.local.abc: No answer
The external domain name also cannot be resolved
bash-5.1# nslookup www.github.com
Server: 100.96.0.10
Address: 100.96.0.10#53
*** Can't find www.github.com.abc: No answer
From the coredns log, we can see that when the full domain name apigateway.system.svc.cluster.local.abc. is queried, coredns returns noerror. But in fact the domain name does not exist
[INFO] 100.64.2.137:40043 - 60409 "AAAA IN apigateway.system.svc.cluster.local.system.svc.cluster.local. udp 78 false 512" NXDOMAIN qr,aa,rd 171 0.00021492s
[INFO] 100.64.2.137:40043 - 59971 "A IN apigateway.system.svc.cluster.local.system.svc.cluster.local. udp 78 false 512" NXDOMAIN qr,aa,rd 171 0.000247841s
[INFO] 100.64.2.137:56051 - 8509 "A IN apigateway.system.svc.cluster.local.cluster.local. udp 67 false 512" NXDOMAIN qr,aa,rd 160 0.000146127s
[INFO] 100.64.2.137:56051 - 8780 "AAAA IN apigateway.system.svc.cluster.local.cluster.local. udp 67 false 512" NXDOMAIN qr,aa,rd 160 0.000197555s
[INFO] 100.64.2.137:50812 - 47345 "AAAA IN apigateway.system.svc.cluster.local.svc.cluster.local. udp 71 false 512" NXDOMAIN qr,aa,rd 164 0.000198486s
[INFO] 100.64.2.137:50812 - 47072 "A IN apigateway.system.svc.cluster.local.svc.cluster.local. udp 71 false 512" NXDOMAIN qr,aa,rd 164 0.000296226s
[INFO] 100.64.2.137:50985 - 42386 "AAAA IN apigateway.system.svc.cluster.local.abc. udp 57 false 512" NOERROR qr,aa,rd,ra 57 0.026135963s
[INFO] 100.64.2.137:50985 - 41590 "A IN apigateway.system.svc.cluster.local.abc. udp 57 false 512" NOERROR qr,aa,rd,ra 57 0.059998825s
After I removed this custom search domain everything went back to normal
bash-5.1# nslookup www.github.com
Server: 100.96.0.10
Address: 100.96.0.10:53
Non-authoritative answer:
www.github.com canonical name = github.com
Name: github.com
Address: 20.205.243.166
Non-authoritative answer:
www.github.com canonical name = github.com
bash-5.1# nslookup apigateway.system.svc.cluster.local
Server: 100.96.0.10
Address: 100.96.0.10:53
*** Can't find apigateway.system.svc.cluster.local: No answer
Name: apigateway.system.svc.cluster.local
Address: 100.96.101.242
I setup a docker swarm with 3 nodes :
s1 : manager + worker
s2 : worker
s3 : worker
I deployed a nginx as a reverse proxy to a docker swarm service on each node with publishing port as mode=host to get the real ip. Nginx works "fine", i'am able to serve static content, use over https, etc ...
The part which doesn't work is the reverse_proxy :
if the nginx and the service are on the same node, everything works
if the nginx and the service aren't one the same node, i can only GET / because others requests ( like /css/style.css ) will fails with 499 ( from nginx point )
nginx network is an overlay network swarm-scopped and ip forwarding is enabled.
Here is my nginx configuration :
server {
listen 80;
server_name service.foo.bar;
location / {
proxy_pass http://service:80;
}
}
server {
listen 443 ssl;
server_name service.foo.bar;
ssl_certificate /ssl/service.foo.bar/fullchain.pem;
ssl_certificate_key /ssl/service.foo.bar/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://service:80;
}
}
Here is how i deployed my nginx :
docker service create --name nginx --mount /etc/nginx/nginx.conf:/etc/nginx/nginx.conf --mode=global --publish mode=host,published=80,target=80 --publish mode=host,published=443,target=443 --network nginx nginx
If i curl the node who hosts the service :
* TCP_NODELAY set
* Connected to service.foo.bar port 80 (#0)
> GET /app/polyfills.d92dcdb0a986e964fec8.js HTTP/1.1
> Host: service.foo.bar
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.21.6
< Date: Mon, 13 Jun 2022 15:38:36 GMT
< Content-Type: application/javascript
< Content-Length: 257750
< Connection: keep-alive
< cache-control: public, immutable, max-age=604800
< expires: Mon, 20 Jun 2022 15:38:36 GMT
< permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self "https://haveibeenpwned.com" "https://2fa.directory"), usb=(), vr=()
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< x-xss-protection: 0
<
/*! For license information please see polyfills.d92dcdb0a986e964fec8.js.LICENSE.txt */
[...]
If i curl a node which doesn't host the service :
* TCP_NODELAY set
* Connected to service.foo.bar port 80 (#0)
> GET /app/polyfills.d92dcdb0a986e964fec8.js HTTP/1.1
> Host: service.foo.bar
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.21.6
< Date: Mon, 13 Jun 2022 15:38:25 GMT
< Content-Type: application/javascript
< Content-Length: 257750
< Connection: keep-alive
< cache-control: public, immutable, max-age=604800
< expires: Mon, 20 Jun 2022 15:38:25 GMT
< permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self "https://haveibeenpwned.com" "https://2fa.directory"), usb=(), vr=()
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< x-xss-protection: 0
<
* transfer closed with 257750 bytes remaining to read
* Closing connection 0
curl: (18) transfer closed with 257750 bytes remaining to read
nginx log say :
nginx.0.scembp2e9iqp#s3 | 2022/06/13 15:38:36 [warn] 23#23: *114 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/5/00/0000000005 while reading upstream, client: #ip, server: service.foo.bar, request: "GET /app/polyfills.d92dcdb0a986e964fec8.js HTTP/1.1", upstream: "http://10.0.4.56:80/app/polyfills.d92dcdb0a986e964fec8.js", host: "service.foo.bar"
My nodes are connected each others over wireguard, this is my routing table :
default via #ip dev ens3
#ip dev ens3 scope link
10.252.1.0/24 dev wg0 proto kernel scope link src 10.252.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.19.0.0/16 dev docker_gwbridge proto kernel scope link src 172.19.0.1
Here is my wireguard configuration :
[Interface]
Address = 10.252.1.1/24
ListenPort = 51820
PrivateKey = ***
[Peer]
PublicKey = ***
AllowedIPs = 10.252.1.2/32
Endpoint = #s2
[Peer]
PublicKey = ***
AllowedIPs = 10.252.1.3/32
Endpoint = #s3
This is my firewall configuration :
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
-F INPUT
-F DOCKER-USER
-F FILTERS
-A INPUT -i lo -j ACCEPT
-A INPUT -j FILTERS
-A DOCKER-USER -i ens3 -j FILTERS
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FILTERS -p icmp --icmp-type echo-request -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FILTERS -p udp --dport 51820 -j ACCEPT
-A FILTERS -s 10.252.1.0/24 -j ACCEPT
-A FILTERS -j REJECT --reject-with icmp-port-unreachable
COMMIT
Any ideas ? Am i missing something ?
ngrok (Ctrl+C to quit)
Tunnel Status online
Version 1.7/1.7
Forwarding tcp://tunnel.123.com:12500 -> 127.0.0.1:22
# Conn 0
Avg Conn Time 0.00ms
How can i change tcp://tunnel.123.com:12500 -> 127.0.0.1:22 to tcp://TEST.123.com:12500 -> 127.0.0.1:22
My config is here
server_addr: "123.com:4443"
trust_host_root_certs: false
tunnels:
ssh:
proto:
tcp: 22
subdomain: TEST
remote_port: 12500
I am trying to get a response from portquiz.net when probing port 80. For example, if we do this:
curl portquiz.net:80
we get the response:
Port 80 test successful!
Here is the python code:
import socket
server = "portquiz.net"
port = 80
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((server, port))
response = s.recv(1024)
print(repr(response))
With this code I get no response, the script just seems to hang.
Is this an issue with my code or is it something to do with portquiz's server?
Fingers, that is an HTTP server, so you need to make a GET request to it. As soon as you connect it is waiting for you to send data, that is why it hangs.
You can do this more easily with an HTTP library, however, if you want to use socket here is the code, with example run:
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ cat test.py
import socket
server = "portquiz.net"
port = 80
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((server, port))
# Send HTTP GET request to /
s.send('GET / HTTP/1.1\r\nHOST: {}\r\n\r\n'.format(server).encode())
response = s.recv(1024)
print(repr(response))
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ python test.py
b'HTTP/1.1 200 OK\r\nDate: Sun, 21 Jul 2019 22:25:32 GMT\r\nServer: Apache/2.4.29 (Ubuntu)\r\nVary: Accept-Encoding\r\nContent-Length: 2747\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n\n<html>\n<head>\n<title>Outgoing Port Tester</title>\n<style type="text/css">\nbody {\n\tfont-family: sans-serif;\n\tfont-size: 0.9em;\n}\n</style>\n\n</head>\n\n<body>\n<h1>Outgoing port tester</h1>\n\nThis server listens on all TCP ports, allowing you to test any outbound TCP port.\n\n<p>\nYou have reached this page on port <b>80</b>.<br/>\n</p>\n\nYour network allows you to use this port.\n(Assuming that your network is not doing advanced traffic filtering.)\n\n<p>\nNetwork service: http<br/>\nYour outgoing IP: 207.135.66.186</p>\n\n<h2>Test a port using a command</h2>\n\n<pre>\n$ telnet portquiz.net 80 \nTrying ...\nConnected to portquiz.net.\nEscape character is \'^]\'.\n</pre>\n<pre>\n$ nc -v portquiz.net 80 \nConnection to portquiz.net 80 port [tcp/daytime] succeeded!\n</pre>\n<pre>\n$ curl portquiz.net:80 \nPort 80 test successful!\nYour IP: 207.135.66.186</pre>\n<pre>\n$ wget -q'
Further thoughts on this, it looks like the sight might be looking for a CURL header when to determine which version - either HTML, or TEXT - that it sends. It may behoove you to specify the same header after the "HOST: " header that CURL does so the response is easier to parse.
For the example of it with a curl header, and how I figured out what to put there:
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ curl portquiz.net:80 -vvvv
* Rebuilt URL to: portquiz.net:80/
* Hostname was NOT found in DNS cache
* Trying 52.47.209.216...
* Connected to portquiz.net (52.47.209.216) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: portquiz.net
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 21 Jul 2019 22:34:36 GMT
* Server Apache/2.4.29 (Ubuntu) is not blacklisted
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 49
< Content-Type: text/html; charset=UTF-8
<
Port 80 test successful!
Your IP: 207.135.66.186
* Connection #0 to host portquiz.net left intact
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ cat test.py
import socket
server = "portquiz.net"
port = 80
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((server, port))
get_request = "GET / HTTP/1.1\r\nHOST: {}\r\n" \
"User-Agent: curl/7.35.0\r\n\r\n".format(server)
s.send(get_request.encode())
response = s.recv(1024)
print(repr(response))
(xcve) ttucker#plato:~/tmp/stackoverflow/portquiz.net$ python test.py
b'HTTP/1.1 200 OK\r\nDate: Sun, 21 Jul 2019 22:34:47 GMT\r\nServer: Apache/2.4.29 (Ubuntu)\r\nContent-Length: 49\r\nContent-Type: text/html; charset=UTF-8\r\n\r\nPort 80 test successful!\nYour IP: 207.135.66.186\n'
telnet localhost pop3
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
netstat -l
tcp 0 0 *:www : LISTEN
tcp 0 0 localhost.localdoma:ipp : LISTEN
tcp 0 0 *:smtp : LISTEN
tcp 0 0 localhost.localdo:mysql : LISTEN
when i run this service dovecot start i got
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.553" (uid=1000 pid=26250 comm="start) interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply=0 destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init"))
on Dovecot.conf
protocols = imap imaps pop3 pop3s
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/var/spool/mail/%d/%n
mail_access_groups = mail
first_valid_uid = 106
first_valid_gid = 106
protocol imap {
}
protocol pop3 {
listen=*:110
pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
postmaster_address = samer#aiu.com
mail_plugins = quota
log_path = /var/log/dovecot-deliver.log
info_log_path = /var/log/dovecot-deliver.log
}
auth default {
mechanisms = digest-md5 plain
passdb sql {
args = /etc/dovecot/dovecot-mysql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-mysql.conf
}
user = root
}
If you get this message on the command line:
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.553" (uid=1000 pid=26250 comm="start) interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply=0 destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init"))
It indicates that you're not doing service dovecot restart as root. So make sure you do:
sudo service dovecot restart
The directive protocols = imap imaps pop3 pop3s should be sufficient to activate pop3 with dovecot. You can add
listen = *
to be sure dovecot will listen on all available interfaces. You can verify this by netstat -apn | grep 110. Are there any failures while starting dovecot? Can you post the dovecot related logs?
By default, dovecot logs to syslog, you can explicitly specify the log files:
# Log file to use for error messages, instead of sending them to syslog.
# /dev/stderr can be used to log into stderr.
log_path = /var/log/dovecot.log
# Log file to use for informational and debug messages.
# Default is the same as log_path.
info_log_path = /var/log/dovecot.info.log