SSL/TLS packets for 302/redirects not being captured
I just installed Wireshark 3.4.8, and am trying to trying to diagnose a problem with requests that are going to a URL that is protected by an Oracle OAM webgate, where the request is being made from a webpage that contains Javascript and XMLHttpRequest code. The initial request is going through a CORS proxy ("CORS Anywhere") that I host locally.
For requests that go to OAM-protected URLs, the OAM webgate causes several 302/redirects, and I am using Wireshark to try to capture that information. The initial flow looks like:
1) Browser+Javascript+XHR =====> protected URL (this is non-SSL)
2) OAM webgate sends 302/redirect response =====> browser (the "location:" response header is something like "https://access....", i.e., the 302/redirect is TO a different SSL-enabled URL.
3) In the normal OAM flow, the next 302/redirect is also to an SSL-enabled URL
4) And after that, there are 2 more 302/redirect (so 2 more requests/responses) that are to non-SSL enabled URLs.
In the Wireshark capture, I can see the #2 (the response), but I DON'T SEE any other requests/responses until the final request/response pair, i.e., most of the 302 request/responses appear to be missing from the Wireshark capture.
From the response in the LAST request/response, I can see some response headers that are injected by the CORS Anywhere proxy:
x-request-url: http://fakewava04.....com:7777/wavatarget-charlie/index.html\r\n
[truncated]X-CORS-Redirect-1: 302 https://access.....com:443/oam/server/obrareq.cgi?encquery%3DU0nGIZcbFsG....9rEMX%2F49HbZJlUlxs0GJC8avVVeh4ADw9ZWUeC9FgSl%2BsWWGInx6qg7nW5%2BdOpyBxBLv
[truncated]X-CORS-Redirect-2: 302 https://access.....com:443/oam/CredCollectServlet/X509?bmctx=E63431A...ED5B8A0EB8ECB&ssoCookie=disablehttponly&challenge_url=%2Foam%2FCredCollectServlet%2FX509&request_id=-86947040
and:
[truncated]x-final-url: https://access.....com:443/oam/CredCollectServlet/X509?bmctx=E63431AD72....B8A0EB8ECB&ssoCookie=disablehttponly&challenge_url=%2Foam%2FCredCollectServlet%2FX509&request_id=-869470400032903949
Those "X-CORS-Redirect-1" and "X-CORS-Redirect-2" headers, and the "x-final-url" header are added to the response by the CORS Anywhere, for debugging purposes, and that SEEMS to indicate that there WERE those requests, BUT the actual requests don't seem to be captured by Wireshark, for some reason.
I had suspected that those 2 request/responses might not have been captured because those URLs were SSL-enabled, so I configured Wireshark with the server private key, but even after that, I still am not seeing the actual re-directed requests/responses.
FYI, in Wireshark I have been using "http||tls" as the filter...
Can anyone suggest what I need to do in order to get Wireshark to either capture those missing 302 request/responses, or to make them visible in Wireshark?
Sorry for the longish post :(!!
Thanks, Jim
As I was thinking about the last comment to Andre below, I realized that I had not mentioned one, possibly important, piece of information:
The machines that I am working/testing on are on Amazon AWS. The thing is with AWS is that, I believe that the network adapters don't operate in promiscuous mode.
That is probably why when I ran the tcpdump on the other machine (per comment below) I was seeing one of the 302 request/response pairs in tcpdump, but I wasn't able to see that 302 request/response pair in Wireshark on my "workstation" machine.
Has anyone been able get around that AWS limitation?
Thanks, Jim
I don't think you are supposed to be able to do that. It would break stuff for the hosting party. Networking inside clouds is rather different. And it coukld break things if anyone could put machines in promicious mode.
So in a cloud setup all traffic you can see is what goes to your machine Which also makes it some times harder to troubleshoot there because some machines in the cloud can't capture themselves at all..
Hi,
As I mentioned in the part of the thread with Andre below, I started building a new environment using VirtualBox, and I have it almost done/working.
I setup most of the machines, including 2 apaches (one to host the page with the javascript and the other to host the "target" URL for the Javascript/XHR. I also have a Windows machine in a VM and I have Wireshark installed on that machine, and I have the adapter on that machine set to Promiscuous, and I use the browser on that same machine. So the overall configuration is th same as what I had on AWS.
I have not added in the OAM webgate/protection yet, but I was testing with the Apaches and some preliminary test setup using mod_alias/Redirect directives on the target Apache configuration. This is also still only non-SSL so far, but when I test ...(more)
BTW, off-topic, but how can I format text in comments in "add comment"? It seems to just glom all of the text together so the formatting is really hard to read???
The formatting for a comment is (almost) the same as for an answer so I sometimes use the answer block as a preview for a comment :-).