calea not working well on external pc

skynoc · May 13, 2018, 5:59pm

hi guys

i m configuring calea to stream traffic on an external linux box with tshark

on mikrotik here is the configuration :

/ip firewall calea
add action=sniff chain=forward port=443 protocol=tcp sniff-target=192.168.173.158 sniff-target-port=8888 src-address=192.168.173.107

192.168.173.158 is the linux box which accepting the calea traffic
192.168.173.107 is the client which surfing the internet
192.168.173.1 is the mikrotik

i m trying to open a page http://www.unosms.us/api.php and see how it looks like after i capture it with tshark

Frame 103: 543 bytes on wire (4344 bits), 543 bytes captured (4344 bits) on interface 0
Interface id: 0 (wlp1s0)
Interface name: wlp1s0
Encapsulation type: Ethernet (1)
Arrival Time: May 13, 2018 20:25:25.909612421 EEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1526232325.909612421 seconds
[Time delta from previous captured frame: 0.000023303 seconds]
[Time delta from previous displayed frame: 0.000023303 seconds]
[Time since reference or first frame: 1.194545944 seconds]
Frame Number: 103
Frame Length: 543 bytes (4344 bits)
Capture Length: 543 bytes (4344 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:data]
Ethernet II, Src: Routerbo_ec:66:b3 (e4:8d:8c:ec:66:b3), Dst: IntelCor_87:c2:74 (00:db:df:87:c2:74)
Destination: IntelCor_87:c2:74 (00:db:df:87:c2:74)
Address: IntelCor_87:c2:74 (00:db:df:87:c2:74)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Source: Routerbo_ec:66:b3 (e4:8d:8c:ec:66:b3)
Address: Routerbo_ec:66:b3 (e4:8d:8c:ec:66:b3)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.173.1, Dst: 192.168.173.158
0100 … = Version: 4
… 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
… ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 529
Identification: 0xb436 (46134)
Flags: 0x00
0… … = Reserved bit: Not set
.0.. … = Don’t fragment: Not set
..0. … = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0x29b4 [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.173.1
Destination: 192.168.173.158
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 8888, Dst Port: 8888
Source Port: 8888
Destination Port: 8888
Length: 509
[Checksum: [missing]]
[Checksum Status: Not present]
[Stream index: 4]
Data (501 bytes)

0000 01 00 00 01 01 e4 8d 8c ec 66 b3 34 7c 25 81 7d …f.4|%.}
0010 19 08 00 45 00 01 e2 00 00 40 00 3f 06 2b 08 c0 …E…@.?.+..
0020 a8 ad 6b 90 4c 10 ae e5 57 00 50 45 5b 18 53 46 ..k.L…W.PE[.SF
0030 c1 e2 32 80 18 08 10 7b 97 00 00 01 01 08 0a 59 ..2…{…Y
0040 54 e8 64 8b 0b 75 ff 47 45 54 20 2f 61 70 69 2e T.d..u.GET /api.
0050 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f php HTTP/1.1..Ho
0060 73 74 3a 20 77 77 77 2e 75 6e 6f 73 6d 73 2e 75 st: www.unosms.u
0070 73 0d 0a 41 63 63 65 70 74 3a 20 74 65 78 74 2f s..Accept: text/
0080 68 74 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e html,application
0090 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 61 70 70 6c 69 /xhtml+xml,appli
00a0 63 61 74 69 6f 6e 2f 78 6d 6c 3b 71 3d 30 2e 39 cation/xml;q=0.9
00b0 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 55 70 67 72 ,/;q=0.8..Upgr
00c0 61 64 65 2d 49 6e 73 65 63 75 72 65 2d 52 65 71 ade-Insecure-Req
00d0 75 65 73 74 73 3a 20 31 0d 0a 43 6f 6f 6b 69 65 uests: 1..Cookie
00e0 3a 20 50 48 50 53 45 53 53 49 44 3d 34 30 66 37 : PHPSESSID=40f7
00f0 31 37 36 39 61 33 39 65 32 62 30 63 61 32 61 39 1769a39e2b0ca2a9
0100 64 38 66 34 38 62 63 64 35 35 64 64 0d 0a 55 73 d8f48bcd55dd..Us
0110 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c er-Agent: Mozill
0120 61 2f 35 2e 30 20 28 69 50 68 6f 6e 65 3b 20 43 a/5.0 (iPhone; C
0130 50 55 20 69 50 68 6f 6e 65 20 4f 53 20 31 31 5f PU iPhone OS 11_
0140 33 20 6c 69 6b 65 20 4d 61 63 20 4f 53 20 58 29 3 like Mac OS X)
0150 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 36 30 35 AppleWebKit/605
0160 2e 31 2e 31 35 20 28 4b 48 54 4d 4c 2c 20 6c 69 .1.15 (KHTML, li
0170 6b 65 20 47 65 63 6b 6f 29 20 56 65 72 73 69 6f ke Gecko) Versio
0180 6e 2f 31 31 2e 30 20 4d 6f 62 69 6c 65 2f 31 35 n/11.0 Mobile/15
0190 45 31 34 38 20 53 61 66 61 72 69 2f 36 30 34 2e E148 Safari/604.
01a0 31 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 1..Accept-Langua
01b0 67 65 3a 20 65 6e 2d 75 73 0d 0a 41 63 63 65 70 ge: en-us..Accep
01c0 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 t-Encoding: gzip
01d0 2c 20 64 65 66 6c 61 74 65 0d 0a 43 6f 6e 6e 65 , deflate..Conne
01e0 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 ction: keep-aliv
01f0 65 0d 0a 0d 0a e…
Data: 0100000101e48d8cec66b3347c25817d190800450001e200…
[Length: 501]

you can see here the source ip address is the mikrotik and the destination ip address is the tshark server

Source: 192.168.173.1
Destination: 192.168.173.158
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
and there is no data for Geoip

and the captured url is like garbage

0040 54 e8 64 8b 0b 75 ff 47 45 54 20 2f 61 70 69 2e T.d..u.GET /api.
0050 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f php HTTP/1.1..Ho
0060 73 74 3a 20 77 77 77 2e 75 6e 6f 73 6d 73 2e 75 st: www.unosms.u
0070 73 0d 0a 41 63 63 65 70 74 3a 20 74 65 78 74 2f s..Accept: text/

but when i stream the traffic to a mikrotik calea server it looks different

Frame 3: 510 bytes on wire (4080 bits), 510 bytes captured (4080 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 13, 2018 20:55:26.093123000 EEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1526234126.093123000 seconds
[Time delta from previous captured frame: 0.000136000 seconds]
[Time delta from previous displayed frame: 0.000136000 seconds]
[Time since reference or first frame: 0.006628000 seconds]
Frame Number: 3
Frame Length: 510 bytes (4080 bits)
Capture Length: 510 bytes (4080 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http]
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)
Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
… ..0. … … … … = LG bit: Globally unique address (factory default)
… …0 … … … … = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Trailer: 65ffffbe795cf19d24b5
Frame check sequence: 0x407ea662 incorrect, should be 0x99cbd8aa
[Expert Info (Error/Checksum): Bad checksum [should be 0x99cbd8aa]]
[Bad checksum [should be 0x99cbd8aa]]
[Severity level: Error]
[Group: Checksum]
[FCS Status: Bad]
Internet Protocol Version 4, Src: 192.168.173.107, Dst: 144.76.16.174
0100 … = Version: 4
… 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
… ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 482
Identification: 0x0000 (0)
Flags: 0x02 (Don’t Fragment)
0… … = Reserved bit: Not set
.1.. … = Don’t fragment: Set
..0. … = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (6)
Header checksum: 0x2b08 [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.173.107
Destination: 144.76.16.174
[Source GeoIP: Unknown]
[Destination GeoIP: Germany, AS24940 Hetzner Online GmbH, Germany, AS24940 Hetzner Online GmbH, 51.299301, 9.490900]
[Destination GeoIP Country: Germany]
[Destination GeoIP AS Number: AS24940 Hetzner Online GmbH]
[Destination GeoIP Country: Germany]
[Destination GeoIP AS Number: AS24940 Hetzner Online GmbH]
[Destination GeoIP Latitude: 51.299301]
[Destination GeoIP Longitude: 9.490900]
Transmission Control Protocol, Src Port: 58728, Dst Port: 80, Seq: 1, Ack: 1, Len: 430
Source Port: 58728
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 430]
Sequence number: 1 (relative sequence number)
[Next sequence number: 431 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
1000 … = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
000. … … = Reserved: Not set
…0 … … = Nonce: Not set
… 0… … = Congestion Window Reduced (CWR): Not set
… .0.. … = ECN-Echo: Not set
… ..0. … = Urgent: Not set
… …1 … = Acknowledgment: Set
… … 1… = Push: Set
… … .0.. = Reset: Not set
… … ..0. = Syn: Not set
… … …0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 2064
[Calculated window size: 132096]
[Window size scaling factor: 64]
Checksum: 0xb1fb [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 1499855289, TSecr 1094312456
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 1499855289
Timestamp echo reply: 1094312456
[SEQ/ACK analysis]
[iRTT: 0.006492000 seconds]
[Bytes in flight: 431]
[Bytes sent since last PSH flag: 430]
TCP payload (430 bytes)
Hypertext Transfer Protocol
GET /api.php HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /api.php HTTP/1.1\r\n]
[GET /api.php HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /api.php
Request Version: HTTP/1.1
Host: www.unosms.us\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n
Upgrade-Insecure-Requests: 1\r\n
Cookie: PHPSESSID=40f71769a39e2b0ca2a9d8f48bcd55dd\r\n
Cookie pair: PHPSESSID=40f71769a39e2b0ca2a9d8f48bcd55dd
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate\r\n
Connection: keep-alive\r\n
\r\n
[Full request URI: http://www.unosms.us/api.php]
[HTTP request 1/1]

you can see here the source ip and destination ip and even the geoip of the host

Source: 192.168.173.107
Destination: 144.76.16.174
[Source GeoIP: Unknown]
[Destination GeoIP: Germany, AS24940 Hetzner Online GmbH, Germany, AS24940 Hetzner Online GmbH, 51.299301, 9.490900]
[Destination GeoIP Country: Germany]
[Destination GeoIP AS Number: AS24940 Hetzner Online GmbH]
[Destination GeoIP Country: Germany]
[Destination GeoIP AS Number: AS24940 Hetzner Online GmbH]
[Destination GeoIP Latitude: 51.299301]
[Destination GeoIP Longitude: 9.490900]
and the full request url

[Full request URI: http://www.unosms.us/api.php]

why do you think it is not working if i stream from calea to an external tshark while it works well when i stream to mikrotik calea server but tshark is capturing well on devices not mikrotik

any idea will be helpful

thanks