SOCKTRC tool


The SOCKTRC command line utility which is part of the HTTPREPLAY tool is a "socket based proxy". Some people also call such utility a "socket listener". I wrote this tool long time ago mainly to troubleshoot HTTP issues but the tool can also be used to trace any TCP based protocol such as SMTP, POP3..etc.  In addition to being a socket listener, the tool implements the following features :

- display & filtering capabilities
- change data on the fly
- simulate slow speed connection
- extensible architecture through simple extension DLL


Let's take a deeper look at the tool...


Using SOCKTRC


For HTTP troubleshooting, the tool can be used using 2 different methods :



Method #1 - Use SOCKTRC to remote a web server (or any TCP based server like SMTP,POP...etc)

From the command prompt, run "SOCKTRC /S:80 /D:80 /OS /OD /V /H:mywebserver". Congratulations! You now have a new web site available on your machine. To dump the traffic between IE and mywebserver, run Internet Explorer and connect to "http://localhost". Note that if you already have a local web server, you'll need to use another port than 80 (ex. : run "SOCKTRC /S:82 /D:80 /OS /OD /V /H:mywebserver" and use "http://localhost:82" as the URL). Of course this method will only work as long as the hyperlinks used are relatives since clicking on a URL like http://www.microsoft.com will completely "bypass" the tool...



Method #2 - SOCKTRC as HTTP proxy server

Assuming TCP port 80 is not used, run "SOCKTRC /S:80 /D:80 /OS /OD /V /H:myhttpproxy". You can then run Internet Explorer and set localhost:80 as your HTTP proxy server (ensure IE option "Bypass proxy for local addresses" is *not* checked). Once this has been done, all traffic will be dumped by SOCKTRC regardless of the URLs accessed


If you want to trace non HTTP protocols like SMTP, POP..etc only method 1 can be used.


Customizing trace output



By default, SOCKTRC just displays a summary of the data sent/received. For example, running "SOCKTRC /S:80 /D:80 /H:MYWEBSERVER" and connecting with IE to "http://localhost" will result in the following display :

SOCKTRC /S:80 /D:80 /H:MYWEBSERVER


11:41:34:057 ==================================================================
11:41:34:057 Protocol : TCP
11:41:34:057 Source port : 80
11:41:34:057 Bind on adapter : INADDR_ANY
11:41:34:057 Destination port : 80
11:41:34:057 Destination host : MYWEBSERVER
11:41:34:057 ==================================================================
Press to exit.
11:41:37:159 #0 - New connection accepted (127.0.0.1:3387)
11:41:37:174 #0 - 127.0.0.1:3387 -> :80 (377 bytes / total : 377 bytes) :3388 -> MYWEBSERVER:80
11:41:42:516 #0 - 127.0.0.1:3387 <- :80 (4096 bytes / total : 4096 bytes) :3388 <- MYWEBSERVER:80
11:41:42:516 #0 - 127.0.0.1:3387 <- :80 (593 bytes / total : 4689 bytes) :3388 <- MYWEBSERVER:80
11:41:42:516 #0 - 127.0.0.1:3387 -> :80 (463 bytes / total : 840 bytes) :3388 -> MYWEBSERVER:80
11:41:43:064 #0 - 127.0.0.1:3387 <- :80 (4096 bytes / total : 8785 bytes) :3388 <- MYWEBSERVER:80
11:41:43:064 #0 - 127.0.0.1:3387 <- :80 (504 bytes / total : 9289 bytes) :3388 <- MYWEBSERVER:80
11:41:43:064 #0 - 127.0.0.1:3387 -> :80 (615 bytes / total : 1455 bytes) :3388 -> MYWEBSERVER:80
11:41:43:299 #0 - 127.0.0.1:3387 <- :80 (359 bytes / total : 9648 bytes) :3388 <- MYWEBSERVER:80
11:41:43:330 #0 - 127.0.0.1:3387 -> :80 (493 bytes / total : 1948 bytes) :3388 -> MYWEBSERVER:80
11:41:43:518 #0 - 127.0.0.1:3387 <- :80 (4096 bytes / total : 13744 bytes) :3388 <- MYWEBSERVER:80
...


To get all the data displayed use "/OS" (dump data from client) "/OD" (dump data from server) and "/V" to display all data in hex format :

SOCKTRC /S:80 /D:80 /H:MYWEBSERVER /OS /OD /V
...
12:26:31:401 #0 - New connection accepted (127.0.0.1:3784)
12:26:31:401 #0 - 127.0.0.1:3784 -> :80 (269 bytes / total : 269 bytes) :3785 -> MYWEBSERVER:80


=> ==================================================================
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 0123456789abcdef


0000: 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a GET / HTTP/1.1..
0010: 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 41 63 63 Accept: */*..Acc
0020: 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e ept-Language: en
0030: 2d 75 73 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f -us..Accept-Enco
0040: 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c ding: gzip, defl
0050: 61 74 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a ate..User-Agent:
0060: 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f Mozilla/4.0 (co
0070: 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 mpatible; MSIE 6
0080: 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 .0; Windows NT 5
0090: 2e 31 3b 20 2e 4e 45 54 20 43 4c 52 20 31 2e 30 .1; .NET CLR 1.0
00a0: 2e 33 37 30 35 29 0d 0a 48 6f 73 74 3a 20 6c 6f .3705)..Host: lo
00b0: 63 61 6c 68 6f 73 74 3a 38 32 0d 0a 43 6f 6e 6e calhost:82..Conn
00c0: 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 ection: Keep-Ali
00d0: 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20 41 53 50 53 ve..Cookie: ASPS
00e0: 45 53 53 49 4f 4e 49 44 47 47 51 51 47 4b 57 47 ESSIONIDGGQQGKWG
00f0: 3d 4f 43 4b 4e 45 4e 48 43 49 42 44 46 4b 47 42 =OCKNENHCIBDFKGB
0100: 50 4b 45 4d 46 46 4a 43 43 0d 0a 0d 0a PKEMFFJCC....
==================================================================
12:26:31:401 #0 - 127.0.0.1:3784 <- :82 (1544 bytes / total : 1544 bytes) :3785 <- MYWEBSERVER:80


=> ==================================================================
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 0123456789abcdef


0000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0010: 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f .Server: Microso
0020: 66 74 2d 49 49 53 2f 35 2e 31 0d 0a 44 61 74 65 ft-IIS/5.1..Date
0030: 3a 20 57 65 64 2c 20 30 34 20 53 65 70 20 32 30 : Wed, 04 Sep 20
0040: 30 32 20 31 30 3a 32 36 3a 33 31 20 47 4d 54 0d 02 10:26:31 GMT.
0050: 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length:
0060: 20 31 33 39 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 1390..Content-T
0070: 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a ype: text/html..
0080: 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 3a 20 70 Cache-control: p
0090: 72 69 76 61 74 65 0d 0a 0d 0a 3c 68 74 6d 6c 3e rivate....
00a0: 20 0d 0a 20 20 0d 0a 3c 68 65 61 64 3e 0d 0a 3c .. ....<
00b0: 6c 69 6e 6b 20 74 79 70 65 3d 27 74 65 78 74 2f link type='text/
00c0: 78 6d 6c 27 20 72 65 6c 3d 27 61 6c 74 65 72 6e xml' rel='altern
00d0: 61 74 65 27 20 68 72 65 66 3d 27 2f 44 65 66 61 ate' href='/Defa
...

To display only the first 100 bytes of client data, use "/OS:100" :


SOCKTRC /S:80 /D:80 /H:MYWEBSERVER /OS:100
...
12:33:58:693 #0 - New connection accepted (127.0.0.1:3819)
12:33:58:693 #0 - 127.0.0.1:3819 -> :82 (269 bytes / total : 269 bytes) :3820 -> MYWEBSERVER:80


=>GET / HTTP/1.1..Accept: */*..Accept-Language: en-us..Accept-Encoding: gzip, deflate..User-Agent: Moz
12:33:58:708 #0 - 127.0.0.1:3819 <- :82 (1544 bytes / total : 1544 bytes) :3820 <- MYWEBSERVER:80
12:33:58:708 #0 - 127.0.0.1:3819 -> :82 (413 bytes / total : 682 bytes) :3820 -> MYWEBSERVER:80


=>GET /_themes/artsy/arts1011.css HTTP/1.1..Accept: */*..Referer: http://localhost..Accept-Language
12:33:58:708 #0 - 127.0.0.1:3819 <- :82 (141 bytes / total : 1685 bytes) :3820 <- MYWEBSERVER:80
12:33:58:740 #0 - 127.0.0.1:3819 -> :82 (441 bytes / total : 1123 bytes) :3820 -> MYWEBSERVER:80


=>GET /default.asp HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application
12:33:58:755 #0 - 127.0.0.1:3819 <- :82 (2291 bytes / total : 3976 bytes) :3820 <- MYWEBSERVER:80
12:33:58:755 #1 - New connection accepted (127.0.0.1:3821)
12:33:58:755 #1 - 127.0.0.1:3821 -> :82 (439 bytes / total : 439 bytes) :3822 -> MYWEBSERVER:80


=>GET /navbar.asp HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/v
12:33:58:755 #1 - 127.0.0.1:3821 <- :82 (1444 bytes / total : 1444 bytes) :3822 <- MYWEBSERVER:80
12:33:58:755 #0 - 127.0.0.1:3819 -> :82 (438 bytes / total : 1561 bytes) :3820 -> MYWEBSERVER:80

To display only the 100 bytes sent by the server, just use "/OD:100" (this can be combined with /OS:100).

It is also possible to filter the data displayed based on its contents. For example, you can display only "401" responses from server using "/HSS:401". Same filtering can be done on the client. For example, to only display POST request, use "/CSS:POST".


Other tips & tricks



  • SOCKTRC uses the ETC/SERVICES file so, assuming your SERVICES file is correctly populated, you can type something like :




"SOCKTRC /s:HTTP /d:HTTP /os /od /v". This is usefull if you do not know all port numbers...



  • SOCKTRC binds by default on INADDR_ANY. You can bind SOCKTRC on a specific network adapted using the "/B" option

  • You can change data on the fly using the "/CSR:" (data from client) and "/HSR:" (data from server) flags. The following command changes "Cache-Control" to "Xache-Control" in all content sent by MYWEBSERVER : 


"SOCKTRC /s:80 /d:80 /os /od /v /HSS:Cache-Control /HSR:Xache-Control /H:MYWEBSERVER".


This feature can be usefull for testing purposes (for example, to adjust an invalid content-length or remove HTTP no-cache header). Note that in many cases, you have to make sure that searched/replaced strings have the same length (to maintain valid content-length or chunck size).



  • When you search or replace data, you can specify binary data using hex format HxHH (example : "/CSS:0x610x620x63" is equivalent to "/CSS:abc")

  • The "/F" flag can be used to display only the data coming from a specific client. (this is usefull if multiple machines are connecting to SOCKTRC source port as you may only be interested to do traces for one specific machine).

FAQ 


Here is a small FAQ regarding the tool and issues you may get and hopefully resolve!



SOCKTRC arguments

























































































SOCKTRC </S:port> </D:port> </B:adapter> [/H:host] [/F:client] [/OS:n] [/OD:n] [/U] [/R] [/L:speed] [/V]
/S:sourceport source port to use
/D:destport destination port to use (-1 to drop incoming data)
/B:adapter bind on adapter (IP/hostname)
/H:host destination IP/hostname
/F:client only output data to/from client
/CSS:csstring only output data from client containing csstring
/CSR:csrstring replace csstring by csrtring
/HSS:hsstring only output data from destination containg hsstring
/HSR:hsrstring replace hsstring by hsrstring
/OS[:n] output [n] characters sent by source
/OD[:n] output [n] characters sent by destination
/U use UDP (by default, TCP is used)
/R resolve client IP address
/L:speed simulate a speed bps connection
/PC:sleepdelay sleep x ms before sending to source
/PH:speeddelay sleep x ms before sending to destination
/MC:buffersize use buffersize for recv from client
/MH:buffersize use buffersize for recv from destination
/N:string decode BASE64 data located after string
/V verbose (hexadecimal) output
/T silent mode (minimum output)
/I install as a service
/Z remove service
/X only allow incoming connection from local machine
/E:DLL load DLL extension

Examples :

socktrc /s:http /d:http /h:www.ibm.com /os:40 /v
socktrc /s:dns /d:dns /h:mydnsserver /os /od /v /u /r
socktrc /s:82 /d:80 /h:myproxy /os /od /v /r /n:NTLM0x20


When I run SOCKTRC, I get the following error : "ListeningThread : error on bind() : 10048"

This occurs because the source port (/S:portnumber) specified is already bound by another application (for example IIS). You can solve the issue by either using a different source port for SOCKTRC or change the port used by the other application (IIS).



What is a SOCKTRC DLL extension and how to write one ?

SOCKTRC can call a custom extension DLL whenever data is sent/received.This allows the extension to filter or change data. The HTTPREPLAY tool is mainly built on this feature.


An extension DLL just needs to export the following function :


//*************************************************************************
// debug & dump functions provided by SOCKTRC
//*************************************************************************
typedef void DumpDataFunc(char *data, DWORD size,BOOL fromclient,DWORD ThreadIndex,BOOL DataDump);
typedef void DebugMsgFunc(char *format,...);

DumpDataFunc *gDumpData;
DebugMsgFunc *gDebugMsg;

//*************************************************************************
// SocktrcExtInit
//*************************************************************************
DllExport SocktrcExtInit(int sourceport,int destport,DumpDataFunc *pfDumpData,DebugMsgFunc *pfDebugMsg)
{
gDumpData=pfDumpData;
gDebugMsg=pfDebugMsg;
gDebugMsg("Extension loaded...");
...
}



//*************************************************************************
// SocktrcExt
//
// IP : client address
// buffer : data received or sent
// bufsize : size of buffer
// from client : TRUE if data comes from the client, FALSE if data comes from the host
// sock_client : client's socket
// sock_server : server's (host) socket
\*************************************************************************/
DllExport BOOL SocktrcExt(char *ip,char *buffer,INT *bufsize,BOOL fromclient,SOCKET sock_client,SOCKET sock_server,DWORD ID)
{
...
// add you filtering code here
// the following line sends back data to the client and dumps it using the hex dump function provided by socktrc :
send(sock_client,data,szdata,0);
gDumpData(data,szdata,FALSE,ID,TRUE);
...
}


How does the /l option work ?

The /l option allows to introduce a "sleep delay" on send/receive of data. The sleep delay is implemented as follow : sleep delay (seconds) = BytesRead*8/linkSpeed

If 4 kbytes are received and the "link speed" is set to 9600 (bps), the sleep delay will be 4096*8/9600=3.41 seconds. Once the sleep delay has terminated, the 4kb are sent.


Can I use SOCKTRC to remote a production web server ?

No! SOCKTRC is not designed to handle a large amount of clients. Whenever a new connection is done to SOCKTRC, 2 threads are created (one thread forwards data from client to server and the other thread does the opposite). This design prevents to handle a large amount of clients (more than 20 clients).  



What is the purpose of the /X option ?

The /X option has been introduced to prevent remote incoming connections. This option is usefull if you want to avoid to proxy malware data for example. Proxying malware traffic could make think network administrators that your machine is infected by malware even if it isn't. By using the /X option, you only allow local application to connect to SOCKTRC.


How do I use SOCKTRC as a service ?

First, ensure that the SOCKTRC arguments that you plan to use are valid. If your plan is to use SOCKTRC to silently proxy HTTP traffic, then you may want to use arguments like : "SOCKTRC /S:80 /D:80 /H:someweb /T". Once you have tested and confirmed that the SOCKTRC command line is valid, all tou have to do is to type the desired command line and add the "/I" flag to install the SOCKTRC service. You can then "NET START SOCKTRC"... When SOCKTRC is executed as a service, the output is sent using OutputDebugString (you can use a tool like DBMON to display it).


 


Skip to main content