[Winpcap-users] can not get any captured package when

Thu Aug 7 07:05:13 GMT 2008

Thanks Bryan,
1.
My mistake before. The ping is not successfully through proxy. Here is my result.
--------------------
ping www.google.com
Pinging www.l.google.com [72.17.235.101] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
--------------------
My question is, if the ping fails, where is the resolved IP 72.17.235.101 comes from?
2.
> and my
> client resolver library switches their order each time the name is
> requested.  I believe that's because my caching nameserver switches
> their order too, but I don't know that for sure (haven't looked at the
> order of returned records in the raw packet).  Most programs just choose
> the first address in the list.

You mean each time the ping returns 3 address for google.com, but on the console only one is displayed each time and which one to be displayed is controlled by console client internally? I am confused why in your result each time there is different result, because you mentioned time out is 5 minutes and the same result should be returned within 5 minutes, correct?
3.

> may not allow pings out either (or name resolution, for that matter) --
> but it sounds like yours does, so that shouldn't be an issue.

Why proxy does not allow ping? Do you have any documents describing this?  From my reply in item 1, seems ping is not allowed.
regards,
George

----- Original Message ----
From: Bryan Kadzban <bryan at kadzban.is-a-geek.net>
To: Lin George <george4academic at yahoo.com>
Cc: winpcap-users at winpcap.org
Sent: Wednesday, August 6, 2008 8:34:06 PM
Subject: Re: [Winpcap-users] can not get any captured package when

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Lin George wrote:
>> When you're pinging (or doing HTTP to) www.google.com, or when
>> you're pinging (or doing HTTP to) a.b.c.d directly?
> 
> I am ping www.google.com, and get its IP address like a.b.c.d.

Yes, but the next time you ping it by name, you'll get a different
address -- at least if your name resolution works anything like mine:

$ ping www.google.com
PING www.l.google.com (64.233.167.99): 48 data bytes
...
$ ping www.google.com
PING www.l.google.com (64.233.167.104): 48 data bytes
...
$ ping www.google.com
PING www.l.google.com (64.233.167.147): 48 data bytes

Notice the last octet of the address.

>> Otherwise instead of trying to match up two random values (the
>> result of the windump name resolution and the result of the name
>> resolution done by the other program), you're trying to match one
>> fixed value (the "manual" name resolution) to one random value (the
>> result of the name resolution done by the other program).  *Both*
>> need to be fixed.
> 
> Could you explain why you think IP address after name resolution is
> random

Because I've seen it come back random: see above.  ;-)

> I have this confusion is becasue, when I ping the www.google.com. on
> the command line window, always returns the same IP address,

Then your caching name server or your client resolver isn't quite right.
The www.l.google.com name (which www.google.com is a CNAME for) comes
back with three different A records (and a TTL of five minutes), and my
client resolver library switches their order each time the name is
requested.  I believe that's because my caching nameserver switches
their order too, but I don't know that for sure (haven't looked at the
order of returned records in the raw packet).  Most programs just choose
the first address in the list.

However, none of this applies to web traffic, due to the proxy.  The
client doesn't even resolve the name on its own for proxy traffic.  It
just sends the entire request off to the proxy, name and everything.

>> windump (or any other libpcap/winpcap program) doesn't look inside
>> the proxy traffic when comparing packets against the "host"
>> directive; it just compares the IP src and dst addresses on the
>> packet.
> 
> You mean if I am using proxy in my intranet, the source address and
> destination address (which we could use host to filter in WinDump) is
> always my computer's IP and proxy's IP?

For traffic headed to the proxy server, yes.  And when you set up a
proxy in a web browser, *all* HTTP/HTTPS traffic from the browser will
go to the proxy.  (That's sort of the whole point of a proxy.  ;-) )

> And this is why when I set host to the IP of google, I can not get
> any result?

Most likely.  If you set host to the IP of the proxy (and use the right
proxy port), then you'll see the GET request that gets sent to the
proxy.  You'll be able to see how instead of a normal HTTP GET, which
includes only the part of the URL after the server portion (e.g.
/files/), the browser sends the entire URL (e.g. http://server/files/).

Note that this won't apply to ping, since ping isn't HTTP, and proxies
are only valid for HTTP.  Also note that if your network has a proxy, it
may not allow pings out either (or name resolution, for that matter) --
but it sounds like yours does, so that shouldn't be an issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFImZo9S5vET1Wea5wRA+SWAJ9e07gDW2p1MRfiRd/gL0MZf+d9hACgupkt
0wMKL6cmMYbau4AvgCGTmDc=
=cdlw
-----END PGP SIGNATURE-----