blag/post/netcat-your-friendly-network-sniffer.mdwn

   1 [[!meta date=2009-09-24]]
   2 [[!meta title="netcat, your friendly network sniffer"]]
   3 [[!meta license="CC-BY-SA 3.0"]]
   4 [[!meta author=rohieb]]
   5
   6 I was bored today and started to play around with this Windows Mobile
   7 Messaging application (I think it’s called Outlook Mobile or sort of
   8 thing), and I found out that I was not able to connect to my IMAP
   9 mailbox on my root server, though it worked with my Freemail account. So
  10 I wanted to see what makes Outlook Mobile bother about my IMAP server.
  11
  12 If you are familiar with Linux (which I suppose you are ;-)), you
  13 certainly know `netcat`. With this little tool, you can talk directly to
  14 servers on a byte-oriented basis, and this can be very useful if you
  15 have to debug programs which use character-oriented protocols like IMAP,
  16 SMTP, IRC and so on.
  17
  18 But I’ve realised that I can not only use `netcat` to talk to a server
  19 myself, but even to build a transparent proxy server that displays all
  20 the data that comes over it. After a while — okay, it was about 2 hours
  21 — I got the following nice command:
  22
  23     $ mkfifo pipe
  24     $ tty=`tty`; netcat -l 1234 < pipe | tee $tty |
  25       netcat myserver.com 143 | tee pipe
  26
  27 I could now set up Outlook Mobile to talk to port 1234 on my home
  28 computer and the bytes went straight to my console and also to port 143
  29 (the IMAP port) on my server.
  30
  31 The first direction was straightforward: the first `netcat` process
  32 listens to the local port and pipes its output first to the console
  33 (using `tee`) and then to a second `netcat` instance that does the
  34 communication with the remote server. Now, the commands from the server
  35 have to get back to the client, so I created a named pipe using `mkfifo`
  36 (of course, your filesystem has to support it, so you better not do this
  37 on FAT) and used this as the input to the first `netcat` process that
  38 sends it back to the original client.
  39
  40 Of course, I could have used Wireshark, but I hate that it does not
  41 allow to copy&paste the contents of a packet so I have only the bytes of
  42 the protocol that I need — which can be quite useful if you want to
  43 reuse parts of the content, especially in character-oriented protocols.
  44 Also, the filter settings in Wireshark can be annoying, there is no
  45 simple way to only have packets from one network connection (or I
  46 haven’t found it yet).
  47
  48 So, finally I found out that is has something to do with the IMAP
  49 capabilities that Outlook Mobile bothers about. I suppose I will write
  50 something about it if I have traced the problem back.
  51
  52 **Update:** Note: You can also rewrite the server and/or client messages
  53 using `sed`, but be sure to use unbuffered output with `-u` like that:
  54
  55     $ tty=`tty`; netcat -l 143 < pipe | tee $tty | netcat myserver.com 143 |
  56       sed -u 's/^\* CAPABILITY.*/* CAPABILITY IMAP4 STARTTLS/' | tee pipe
  57
  58 [[!tag hacking howto debugging IMAP Linux netcat network_protocols
  59     proxy_server shell]]