4

One of our apps is calling a third-party webservice which has recently been switched to a different URI. We need to investigate this to try and see where the old address is being used (the code/config has been modified to the new one already). Is there a quick and lightweight way of logging any outbound HTTP requests the server is making?

Its an ASP.Net application running on Windows 2008 Server with IIS 7.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
immutabl
  • 213
  • 2
  • 9

3 Answers3

2

Install http://www.winpcap.org/windump/ on the server, and run it with the following flags:

windump -w "C:\Temp\tcpdump.log" dst host {old IP address} dst port 80

You can leave the running for a day or so, then look at the log. Using -w will write out the raw packets, so that you can see exactly what is being sent (and thus, hopefully, what is sending it).

Please note that I've only used tcpdump, the program that windump is based off of, so if there are differences between them, you may have to adjust the flags. But there are a lot of tcpdump tutorials out there, to guide you in the right direction.

David Bishop
  • 336
  • 1
  • 2
  • I don't see how seeing what is sent will tell them where it came from, really. Something that can also report at least what process sent the request might work better; for example, NirSoft's [SmartSniff (`smsniff`)](http://www.nirsoft.net/utils/smsniff.html). – SamB May 03 '11 at 20:36
  • Also, if you *do* end up using windump, [Wireshark](http://wireshark.org) is an excellent tool for analyzing such dumps. – SamB May 03 '11 at 21:12
1

wireshark! Rules!!! which amounts to a GUI version of what David bishop suggested above ^^^^^

However if you want a more integrated with windows tool, that also enumerates the local processes involved there are the sysinternal tools which are free from microsoft.

Specifically TCPView can be used to see which process is connected to what remote host. (however you have to fall back to windump or wireshark to match the connection to the request URL, unless that feature has been added recently)

There is also a Tcpvcon command line version if you want to log all these requests to some file. But I imagine that this bears the same considerations of running any packet dump to file for long period of time, is beware you dont fill your disk and crash the box totally.

Tom
  • 10,886
  • 5
  • 39
  • 62
0

Unfortunately I don't have any experience in ASP.Net, but I can offer a round-about method whereby you could track this. If you are running Squid in front of the server in question, it's quite easy to take a quick look through the Squid logs to identify requests made to an incorrect URI. I wouldn't recommended installing a Squid box just for this reason, but it will probably be the quickest way to identify incorrect URIs if you already have a Squid proxy in place.

Richard Keller
  • 2,270
  • 2
  • 18
  • 31