Hi, The Sample Captures page does not include capture filters for analyzing WebDAV traffic (unless WebDAV traffic is known under some other name?). I'm specifically trying to investigate the difference in how two programs request a folder listing from the server. One program completes in less than 2 seconds, the other program takes 40+ seconds and almost 4 times the data is sent back from the server, so it looks like the second program requests a lot more than the folder contents. I'm running the webDAV server on a physically different computer in a test environment so it is setup as an HTTP server with only Basic Authentication so my expectations would be to see packets with username and password and also the "commands" or requests un-encrypted and in plain format. My problem is that when I do a capture, I only see traffic FROM the WebDAV Server TO the client. I don't see any traffic at all from the client to the server. I would expect to see: a) client log-on and session opening traffic b) client request/command packets. What I tried (all of the below were done with promiscuous mode on): 1) no capture filter, start capture before running test programs, end capture after programs complete, then using display filters to attempt to show any and all traffic TO the server using server MAC such as eth.addr == xx:xx:xx:xx:xx:xx I also used "destination" and "source" IP filters to see server to client and client to server traffic.. No luck. 2) using capture filters in various combinations such as: host 192.168.1.175 and host 192.168.1.9 or ether host XX:XX:XX:XX:XX:XX or ether dst XX:XX:XX:XX:XX:XX again, I get nothing going too the server?! I have so far attempted the captures on the same PC as the webDAV client is running, which seems like it should be fine to do so since traffic to the server would originate on this machine. However, I also have SharkTap and could drum up other clients so I could do a man in the middle capture, though I'm not sure why I would need to go to that step? asked 02 Sep '14, 06:25  WhiteFang |
2 Answers:
WebDAV is a variant/an extension of HTTP communication (as you already know apparently :-)), so it is really a HTTP capture you're looking for, e.g. "tcp port http", or "tcp port 80". Can you provide some sort of diagram of your capture setup? It's a bit difficult to understand how and what you're capturing otherwise. answered 02 Sep '14, 11:11  Jasper ♦♦ |
For completeness sake, my answer is below, though in the process of writing my answer, I found my "stupid user" problem.. I was NOT running code from the client device the way I thought I was, my debugger mode was still on and the "client" code executed from my laptop IDE, not from my client device. So a long story short, WebDAV (and similar) must be sniffed using "man-in-the-middle" to get complete picture of transactions. For broadest capture between two devices, uses "ether host" filters to capture anything and everything between two physical MAC addresses. I used both of these capture filters and both worked now that I'm properly executing on the device: (ether host XX:XX:XX:XX:XX:XX or ether host XX:XX:XX:XX:XX:XX) and tcp port http ether host XX:XX:XX:XX:XX:XX or ether host XX:XX:XX:XX:XX:XX My setup as shown ASCII art.. hope that helps: Client device --> SharkTap in / SharkTap out --> WebDAV Server TAP port | PC with Wireshark SW Basically, the PC running wireshark is connected to a SharkTap network sniffer that repeats all traffic on the two in/out ports onto a 3rd port, the tap, essentially acting as a good old fashioned "stupid" hub.. but you probably know that. :) Hope this clarifies and helps someone else in the future! answered 02 Sep '14, 11:27 WhiteFang |
I just completed a "man in the middle" (or so I think) capture using this capture filter: ether host XX:XX:XX:XX:XX:XX or ether host XX:XX:XX:XX:XX:XX By my assumption/understanding, this capture filter should capture EVERYTHING from those two MAC addresses.
The PC running the wireshark was connected to the center port on the SharkTap "hub". The other two ports were used to put the sharktap "in-line" between the client device and the network with the webdav server. The trace came back with 3 ARP's (not related) and 6 packets From the Server and nothing again from the client. What am I doing wrong? -Why is there no outbound from the client in my captures?