Using Wireshark on the AnyConnect interface, I captured the process of logging into the schoolhouse, selecting a course, and opening up a VM. The packet capture included over 900 packets.
I'm not in the mood to parse that much material.
To whittle that down to less than 100 packets, I ran a second capture that only encapsulates launching a vm and the subsequent 10 seconds of black screen until the error message.
Analyzing using Follow >> TCP Stream is a must here.
9 TCP conversations are parsed below.
tcp.stream eq 0
[my_ip]:49246 to [webserver]:80
HTTP GET /user_section_items/9202/vm_view/420e9af3-8c03-caa9-3ede-8fe07bbbbfe1
Results in successful file transfer. HTML file has html, css and javascript.
Javascript has functions to connect to vcenter console. Includes error text "The
console has been disconnected. Refresh the page to reconnect."
tcp.stream eq 1
[my_ip]:49247 to [webserver]:80
HTTP GET /img/buttonbar-bg.png,
Results in 404
tcp.stream eq 2
[my_ip]:49248 to [webserver]:80
HTTP GET /css/button-leftside.png HTTP/1.1
Results in 404
tcp.stream eq 3
[my_ip]:49249 to [webserver]:9292
HTTP GET /faye?message=%5728[blahblahblah]
Returns OK & javascript/json object
tcp.stream eq 4
[my_ip]:49250 to [webserver]:9292
HTTP GET /faye
Returns OK, switching protocols to websocket
tcp.stream eq 5
[my_ip]:49251 to [vcenter]:9443
SYN never receives response. Re-transmitted twice.
tcp.stream eq 6
[my_ip]:49252 to [webserver]:9443
HTTP GET /faye?message=%3423[blahblahblah]
Returns OK & javascript/another json object
tcp.stream eq 7
[my_ip]:49253 to [vcenter]:9443
SYN never receives response. Re-transmitted twice.
tcp.stream eq 8
[my_ip]:49254 to [vcenter]:9443
SYN never receives response. Re-transmitted once.
If you noticed the lack of response from [vcenter] like me, you might start feeling like this maybe isn't an user error. I don't think the http 404 responses are a big deal, they're just to retrieve the image of a button and some button css. That could easily be left over from the original site construction.
A quick google search of port 9443 identifies it as a vcenter administration port. Seeing as no response is received, I figured we should see if the box is even up.
C:\>ping [vcenter]
Pinging [vcenter] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for [vcenter]:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
That would seem to be the problem, vcenter doesn't appear to be up.
... at least, that's what I hope. Remember, we don't trust computers, so it's possible vcenter filters ping requests, and I've maybe not authenticated correctly with the vcenter, so it's ignoring my SYN on port 9443.
But, that's a bit of a stretch, and I'm feeling like is less of an issue of PEBKAC, and more of a school house turned of the [vcenter] problem.
I'm not in the mood to parse that much material.
To whittle that down to less than 100 packets, I ran a second capture that only encapsulates launching a vm and the subsequent 10 seconds of black screen until the error message.
Analyzing using Follow >> TCP Stream is a must here.
9 TCP conversations are parsed below.
tcp.stream eq 0
[my_ip]:49246 to [webserver]:80
HTTP GET /user_section_items/9202/vm_view/420e9af3-8c03-caa9-3ede-8fe07bbbbfe1
Results in successful file transfer. HTML file has html, css and javascript.
Javascript has functions to connect to vcenter console. Includes error text "The
console has been disconnected. Refresh the page to reconnect."
tcp.stream eq 1
[my_ip]:49247 to [webserver]:80
HTTP GET /img/buttonbar-bg.png,
Results in 404
tcp.stream eq 2
[my_ip]:49248 to [webserver]:80
HTTP GET /css/button-leftside.png HTTP/1.1
Results in 404
tcp.stream eq 3
[my_ip]:49249 to [webserver]:9292
HTTP GET /faye?message=%5728[blahblahblah]
Returns OK & javascript/json object
tcp.stream eq 4
[my_ip]:49250 to [webserver]:9292
HTTP GET /faye
Returns OK, switching protocols to websocket
tcp.stream eq 5
[my_ip]:49251 to [vcenter]:9443
SYN never receives response. Re-transmitted twice.
tcp.stream eq 6
[my_ip]:49252 to [webserver]:9443
HTTP GET /faye?message=%3423[blahblahblah]
Returns OK & javascript/another json object
tcp.stream eq 7
[my_ip]:49253 to [vcenter]:9443
SYN never receives response. Re-transmitted twice.
tcp.stream eq 8
[my_ip]:49254 to [vcenter]:9443
SYN never receives response. Re-transmitted once.
If you noticed the lack of response from [vcenter] like me, you might start feeling like this maybe isn't an user error. I don't think the http 404 responses are a big deal, they're just to retrieve the image of a button and some button css. That could easily be left over from the original site construction.
A quick google search of port 9443 identifies it as a vcenter administration port. Seeing as no response is received, I figured we should see if the box is even up.
C:\>ping [vcenter]
Pinging [vcenter] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for [vcenter]:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
That would seem to be the problem, vcenter doesn't appear to be up.
... at least, that's what I hope. Remember, we don't trust computers, so it's possible vcenter filters ping requests, and I've maybe not authenticated correctly with the vcenter, so it's ignoring my SYN on port 9443.
But, that's a bit of a stretch, and I'm feeling like is less of an issue of PEBKAC, and more of a school house turned of the [vcenter] problem.
No comments:
Post a Comment