tshark and tcpdump

Occasionally we work with interesting network bugs or we want to learn more about how our service behaves outside of the application layer. Two tools that help me in those occasions are tshark and tcpdump.

Installation

Let’s assume we work on a unix system. Then to install tcpdump we simple execute:

$ apt install tcpdump

Installing tshark is simple too:

$ apt install libcap2-bin tshark

Example API

As a demonstration, we are going to utilize a clean and small Sinatra server. For this example a working Ruby installation is required. See the official docs on how to install Ruby properly on a local machine: https://www.ruby-lang.org/en/documentation/installation/

Going back to our example, first, create the repo:

$ mkdir booklist && cd booklist

Install sinatra:

$ gem install sinatra

Create the example API:

$ cat server.rb

require 'sinatra'
require 'json'

get '/' do
["pragmatic programmer", "clean code"].to_json
end

Fire up the server:

$ ruby server.rb

== Sinatra (v2.0.4) has taken the stage on 4567 for development with backup from Puma
Puma starting in single mode...
* Version 3.12.0 (ruby 2.4.0-p0), codename: Llamas in Pajamas
* Min threads: 0, max threads: 16
* Environment: development
* Listening on tcp://localhost:4567
Use Ctrl-C to stop

It works:

$ curl -X GET localhost:4567 | jq .

[
"pragmatic programmer",
"clean code"
]

tcpdump

tcpdump is available on most unix systems, so we can use it on a small remote sever where tshark would be most probably an overkill. It provides decoding so we can investigate how our services interact with the network.

We will work with the lo interface for this example:

$ tcpdump -D

Execute:

$ sudo tcpdump -i lo -A

Hit the service:

$ curl -X GET localhost:4567

Now notice that tcpdump has captured the traffic:

HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 37

["pragmatic programmer","clean code"]

tshark

tshark is a powerful sniffer with many filters which can decode traffic and provides tools for running more complex analysis on it.

tshark can behave exactly like tcpdump:

$ tshark -i lo --color

Depending on the problem, the best solution may be to combine the powers of these tools. A usual case is to create a file with captured decoded traffic with tcpdump and then run analysis on the file with tshark. Or just do both with tshark.

Let’s explore how to do this on the previous example.

Capture the traffic to a packet capture(pcap) file:

$ touch dump
$ tshark -i lo -w dump.pcap

Analyze it:

$ tshark -r dump.pcap

For example, HTTP analysis:

$ tshark -r dump.pcap -Y http.request -T fields -e http.host -e http.user_agent | sort | uniq -c | sort -n

We could also use wireshark for the last step which provides a nice GUI.

Outro

Learning more about these tools has helped me analyze and research solutions on more complicated problems, which in turn help me grow as an engineer and problem solver. Some good references for learning more about these tools are:

1) tutorial: https://danielmiessler.com/study/tcpdump/
2) how tcp works: https://medium.com/@eranda/analyze-tcp-dumps-a089c2644f19
3) book: https://www.goodreads.com/book/show/505564.The_TCP_IP_Guide

Git bisect debugging

Git is being used primarily for version control but it also provides some generic tools for debugging. In this article, we will
explore how git bisect can help us firstly spot a commit that introduced a but in our codebase and secondly track it throughout
it’s lifespan.

What is git bisect

From the official docs:

The bisect command does a binary search through your commit history to help you identify as quickly as possible which commit
introduced an issue.

Read more at https://git-scm.com/book/en/v2/Git-Tools-Debugging-with-Git.

The gist is that git bisect provides feedback about where and when the bug was introduced.

Example

First of all, we start by running:

$ git bisect start

A binary search is being initialized and we have to answer yes or no, which usually means answer whether the commit
was error free or not.

We do this by marking commits as bad or good:

$ git bisect bad
$ git bisect good

We also get some feedback along the way:

# => Bisecting: 6 revisions left to test after this

When we are done with our research we can easily get back to a working state:

$ git bisect reset

Ruby Blocks

In this article we will discuss how default arguments work and analyze a situation where they can be useful.

The Ruby block

Ruby blocks are code that can be run by other code. All methods can accept blocks, but it’s up to them whether they do something with them or not.

3.times { puts 'hello world' }
3.times do
  puts 'hello world'
end

Blocks can take parameters

Ruby blocks accept parameters and can also initialize them with default values.

def call_block(&block)
  block.call
end

call_block do |greeting = "hi"|
  puts "Block value: '#{greeting}'"
end

In the example above, we initialize the local block variable greeting with the value “hi”.

The behavior can be demonstrated more easily if we use procs:

is_even_proc = Proc.new {|n=1| n%2 == 0 }

is_even_proc(2) # => true
is_even_proc()  # => false, which is the default behavior

Usefulness

For a real example let’s consider the shared examples feature from RSpec, the well know gem for behavior driven development inside the Ruby ecosystem. So, when we use shared_examples we can define a default value and thus avoid code duplication.

# pseudocode

shared_example success |cost=0|
  it "processes the order" do
    expect_any_instance_of(Product).to receive(cost)
  end
end

# Can be used with or without cost

it_behaves_like :success, 1
it_behaves_like :success

Conclusion

To sum up, Ruby allows blocks to receive parameters and enables its initialization with default values. This is applicable is some real world scenarios, such as DRYing up our RSpec suite.

Rack Sailing

In this article we will discuss how we can sail with Rack in a real-world problem.

What Is Rack

Rack is a minimalistic Ruby Web server Interface. As a matter of fact, we can use Rack to build web applications if we follow its protocol. Notably, the protocol is straightforward. We need a Ruby object that responds to the call method which returns a three-element Array:

# rack_hello_world.rb

require 'rack'
 
class HelloWorldApp
  def self.call(env)
    # 200 is the HTTP status code
    # the second element is the response HTTP header hash
    # finally the last element is the response body
    ['200', {'Content-Type' => 'text/html'}, ['A hello world rack app.']]
  end
end

Rack::Handler::WEBrick.run HelloWorldApp

To try the above rack application:

$ gem install rack
$ mkdir rack_hello_world
$ cd rack_hello_world

Write the rack_hello_world.rb file and execute:

$ ruby rack_hello_world.rb
$ curl -I http://localhost:8080

The Middleware

We can compose Rack applications together using middlewares. A middleware basically lets us wrap different inputs and outputs in order to integrate them into our problem-solving.

One common usage is in Rails. For example, Rails uses middlewares to wrap HTTP requests in a simple way.

Continuing from the previous example lets implement a middleware which will add some headers to our response:

# rack_hello_world.rb

# ...

class AddSomeHeaders
  def initialize(app)
    @app = app
  end

  def call(env)
    @app.call(env).tap { |status, headers, body| headers['X-awesome'] = true }
  end
end

app = Rack::Builder.new do
  use AddSomeHeaders
  run HelloWorldApp
end

Rack::Server.start app: app

The response headers:

$ curl -I http://localhost:8080
# => HTTP/1.1 200 OK
# => Content-Type: text/html
# => X-Awesome: true
# => Server: WEBrick/1.3.1 (Ruby/2.3.3/2016-11-21)
# => Date: Thu, 01 Jan 2018 21:29:53 GMT
# => Content-Length: 23
# => Connection: Keep-Alive

The Real World

For a real-world usage of a Rack middleware, we can open the Rails project.

# /actionpack/lib/action_dispatch/middleware/ssl.rb

# I simplified the call for the article's purpose
def call(env)
  request = Request.new env

  if request.ssl?
    @app.call(env).tap do |status, headers, body|
      set_hsts_header! headers
    end
  end
end

As a matter of fact, we can observe that the tap is being used. This basically enables us to manipulate the app object(here the response) in a clean way at a later time. To put it differently, the logic is that @app.call(env) will have to return before the tap block gets executed.

The above is equivalent to:

def call(env)
  request = Request.new env

  if request.ssl?
    res = @app.call(env)
    res[1] = set_hsts_header! res[1]
    res
  end
end

It’s important to realize that if we want to place a middleware before the ActionDispatch::SSL one we would have to tap(sic) into the object after the ActionDispatch::SSL middleware is done.

Indeed, we can observe this functionality if we extend our previous example:

# rack_hello_world.rb

# ...

class EditSomeHeaders
  def initialize(app)
    @app = app
  end

  def call(env)
    @app.call(env).tap do |status, headers, body|
      headers.delete('X-awesome')
      headers['X-double-awesome'] = 'true'
    end
  end
end

app = Rack::Builder.new do
  use EditSomeHeaders
  use AddSomeHeaders
  run HelloWorldApp
end

Rack::Handler::WEBrick.run app

Notice how EditSomeHeaders is being placed before AddSomeHeaders in the middleware stack.

To clarify, execute:

$ curl -I http://localhost:8080
# => HTTP/1.1 200 OK
# => Content-Type: text/html
# => X-Double-Awesome: true # => This has changed
# => Server: WEBrick/1.3.1 (Ruby/2.3.3/2016-11-21)
# => Date: Thu, 01 Jan 2018 22:24:29 GMT
# => Content-Length: 23
# => Connection: Keep-Alive

Meanwhile, the full code example is available on github.

Takeaway

In this article, we’ve explored the basic concepts of Rack, built a Rack middleware and investigated how Rails utilizes
Rack to enforce the SSL policy.

All things considered, reading the code under the hood of a famous or well-engineered library or framework can teach us new methodologies and ways of solving problems. In essence, going through the Rails source code taught us how to use the tap method to manipulate a Rack object that is being manipulated later in the stack.