Stuck in the Middle

This week I wanted to monitor several pieces of software that talk to one another via HTTP and HTTPS. All are running on the same machine, three are Linux services, and one is a standalone script. I was interested in being able to see all of the communications between them in one place, in time order.

I know a couple of ways of capturing this kind of data: proxying and network sniffing.

My default approach would be to have the applications configured to proxy via Fiddler running on my laptop inside the work network. Easy, right? Err, no, because I had forgotten that the machine in question is on a network that isn't considered secure and firewalls prevent that connection. In my proof of concept experiment, the standalone script just hung failing to find the proxy I had specified. Interesting behaviour, and I later reported it, but not what I needed right then. Next!

As all of the software is on the same machine, capturing network traffic into a pcap file using tcpdump should have been relatively straightforward and I could import it into Fiddler for viewing. Result! Err, no, because HTTPS traffic is not decrypted with this approach so I only got some of the comms. Next!

What if there was something like tcpdump for HTTPS? A bit of googling and I found ssldump. Result! Err, no, because although it was simple to install, I couldn't make it work quickly and the data I was trying to gather was not important enough to invest enormous amounts of time in learning a new tool. (Although knowing that this tool exists might be very useful to me in future.) Next!

Back to proxying. What about if I run a proxy on the machine itself? I remembered playing with mitmproxy a long time ago and its web page says it deals with HTTPS so I installed it. Result! Err, no, because the latest version won't run due to a C library incompatibility on this machine. A quick search on the developer forums suggests that this is a known and accepted issue:

We build our releases using PyInstaller on GitHub CI runners, and that combo doesn't allow us to support earlier glibc versions. Please go bother RedHat.

I have been burned before by trying to upgrade Linux C libraries and, again, today is not the day for deep diving into infrastructure that only facilitates a potentially interesting but not crucial experiment. Next!

Hold on, I'm not ready to give up on mitmproxy yet. Might there be an older version that depends on an earlier C library? Is there a page I can download historical versions from? There is. Result! And this time, after stepping back a major version at a time, I got 2.0 running on the box. Double result! Next!

Next is to repeat the proof of concept test with the standalone script. The script has no proxy configuration options but I know it's running Python's requests library and an earlier search told me that it should respect the Linux HTTP proxy environment variables.

So, in one shell I started mitmdump, a flavour of mitmproxy:

$ ./mitmdump
Proxy server listening at http://0.0.0.0:8080

In another shell, I set the environment variables to point at the proxy's URL and ran the script:

$ export http_proxy=http://0.0.0.0:8080
$ export https_proxy=http://0.0.0.0:8080
$ ./myscript

At this stage, I don't care to know which of the proxy variables requests will respect, so I simply set them both.

Result! HTTPS traffic appears in mitmdump's console and it's the kind of traffic I expect.

127.0.0.1:55984: POST https://myserver:8000/endpoint
              << 201 Created 91b
127.0.0.1:55984: GET https://myserver:8000/endpoint/result_data
              << 200 OK 20b

Next!

Next was to get the various services configured to proxy through the same mitm instance too. Unfortunately I found that they do not have proxy configuration options. I wondered whether they would respect the Linux environment variables but didn't know how to set them in the environments that the services ran in. I pinged the testers for those services in chat and in parallel did some more googling.

It seems that it's possible to set environment variables in an override file per service. Result! So I invoked the service editor and entered the runes required to set the same variables for one of the services:

$ systemctl edit myservice

[Service]
Environment="http_proxy=http://0.0.0.0:8080"
Environment="https_proxy=http://0.0.0.0:8080"

$ systemctl restart myservice

Next!

I ran the script again and this time saw traffic from both it and outbound from the service it was speaking to. Result! I quickly configured the other services in the same way and had the monitoring that I needed: all the traffic from all pieces of the infrastructure I cared about, aggregated in one time-ordered location.

In total, this took about an hour, and I spent another few minutes writing the steps up on our wiki for future reference. (Years ago I set up a wiki page called Log More From ... where we've documented the various tricks we've used over the years to get access to data around our products and tooling.)

A moment of reflection, then: I had a mission here. I didn't state it explicitly, but it was something like this: explore setting up HTTP/HTTPS monitoring using whatever tools work to get inter-application monitoring data for a specific analysis. The experiment I was engaged in was a nice-to-have. I was already reasonably confident that the right functional things were happening, and I had access to HTTP logs for some of the pieces of the infrastructure, so I didn't want this to be a time sink.

This framed the way I approached the problem. I have some background here, so I tried approaches that I was familiar with first. I used something like the plunge-in-and-quit heuristic, which I first read about in Lessons Learned in Software Testing, and which James Bach describes succinctly as:

...pick something that looks hard to do and just attempt to do it right away. It doesn’t matter what you pick. The point is to try to do something now. You can always quit if it’s not getting done.

This mindset helps to stop me from disappearing down intellectually interesting or technically challenging rabbit holes: if it's not working, step back and try another way.

Another thing that helps is having been in these kinds of situations before. My experience helps me to judge when to quit and when to continue plunging. Unfortunately, there's no substitute for experience. And the truth is that the judgements made even with experience can still be wrong: if I'd spent another couple of minutes working out what I was doing wrong with ssldump, perhaps I'd have satisfied my need ten minutes in? Yes, perhaps, or perhaps I'd have burned the whole hour fiddling.

On the whole I'm happy with how this went. I got what I needed in a proportionate time, I learned a little more about mitmproxy, I learned a new trick for configuring the environment of Linux services, and I learned of the existence of ssldump which could be just the tool I need in some future situation. Result!

Image: https://flic.kr/p/uJj1G5
Highlighting: markup.su

Comments

Meet Me Halfway?

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "Stop answering my questions with questions." Sure, I can do that. In return, please stop asking me questions so open to interpretation that any answ...

Can Code, Can't Code, Is Useful

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "If testers can’t code, they’re of no use to us" My first reaction is to wonder what you expect from your testers. I am immediately interested ...

The Best Programmer Dan Knows

I was pairing with my friend Vernon at work last week, on a tool I've been developing. He was smiling broadly as I talked him through what I'd done because we've been here before. The tool facilitates a task that's time-consuming, inefficient, error-prone, tiresome, and important to get right. Vern knows that those kinds of factors trigger me to change or build something, and that's why he was struggling not to laugh out loud. He held himself together and asked a bunch of sensible questions about the need, the desired outcome, and the approach I'd taken. Then he mentioned a talk by Daniel Terhorst-North, called The Best Programmer I Know, and said that much of it paralleled what he sees me doing. It was my turn to laugh then, because I am not a good programmer, and I thought he knew that already. What I do accept, though, is that I am focussed on the value that programs can give, and getting some of that value as early as possible. He sent me a link to the ta...

Beginning Sketchnoting

In September 2017 I attended Ian Johnson 's visual note-taking workshop at DDD East Anglia . For the rest of the day I made sketchnotes, including during Karo Stoltzenburg 's talk on exploratory testing for developers (sketch below), and since then I've been doing it on a regular basis. Karo recently asked whether I'd do a Team Eating (the Linguamatics brown bag lunch thing) on sketchnoting. I did, and this post captures some of what I said. Beginning sketchnoting, then. There's two sides to that: I still regard myself as a beginner at it, and today I'll give you some encouragement and some tips based on my experience, to begin sketchnoting for yourselves. I spend an enormous amount of time in situations where I find it helpful to take notes: testing, talking to colleagues about a problem, reading, 1-1 meetings, project meetings, workshops, conferences, and, and, and, and I could go on. I've long been interested in the approaches I've evol...

Not Strictly for the Birds

One of my chores takes me outside early in the morning and, if I time it right, I get to hear a charming chorus of birdsong from the trees in the gardens down our road, a relaxing layered soundscape of tuneful calls, chatter, and chirrupping. Interestingly, although I can tell from the number and variety of trills that there must be a large number of birds around, they are tricky to spot. I have found that by staring loosely at something, such as the silhouette of a tree's crown against the slowly brightening sky, I see more birds out of the corner of my eye than if I scan to look for them. The reason seems to be that my peripheral vision picks up movement against the wider background that direct inspection can miss. An optometrist I am not, but I do find myself staring at data a great deal, seeking relationships, patterns, or gaps. I idly wondered whether, if I filled my visual field with data, I might be able to exploit my peripheral vision in that quest. I have a wide monito...

ChatGPTesters

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "Why don’t we replace the testers with AI?" We have a good relationship so I feel safe telling you that my instinctive reaction, as a member of the T...

Vanilla Flavour Testing

I have been pairing with a new developer colleague recently. In our last session he asked me "is this normal testing?" saying that he'd never seen anything like it anywhere else that he'd worked. We finished the task we were on and then chatted about his question for a few minutes. This is a short summary of what I said. I would describe myself as context-driven . I don't take the same approach to testing every time, except in a meta way. I try to understand the important questions, who they are important to, and what the constraints on the work are. With that knowledge I look for productive, pragmatic, ways to explore whatever we're looking at to uncover valuable information or find a way to move on. I write test notes as I work in a format that I have found to be useful to me, colleagues, and stakeholders. For me, the notes should clearly state the mission and give a tl;dr summary of the findings and I like them to be public while I'm working not just w...

Build Quality

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "When the build is green, the product is of sufficient quality to release" An interesting take, and one I wouldn't agree with in gener...

Postman Curlections

My team has been building a new service over the last few months. Until recently all the data it needs has been ingested at startup and our focus has been on the logic that processes the data, architecture, and infrastructure. This week we introduced a couple of new endpoints that enable the creation (through an HTTP POST) and update (PUT) of the fundamental data type (we call it a definition ) that the service operates on. I picked up the task of smoke testing the first implementations. I started out by asking the system under test to show me what it can do by using Postman to submit requests and inspecting the results. It was the kinds of things you'd imagine, including: submit some definitions (of various structure, size, intent, name, identifiers, etc) resubmit the same definitions (identical, sharing keys, with variations, etc) retrieve the submitted definitions (using whatever endpoints exist to show some view of them) compare definitions I submitted fro...

Express, Listen, and Field

Last weekend I participated in the LLandegfan Exploratory Workshop on Testing (LLEWT) 2024, a peer conference in a small parish hall on Anglesey, north Wales. The topic was communication and I shared my sketchnotes and a mind map from the day a few days ago. This post summarises my experience report. Express, Listen, and Field Just about the most hands-on, practical, and valuable training I have ever done was on assertiveness with a local Cambridge coach, Laura Dain . In it she introduced Express, Listen, and Field (ELF), distilled from her experience across many years in the women’s movement, business, and academia. ELF: say your key message clearly and calmly, actively listen to the response, and then focus only on what is relevant to your needs. I blogged a little about it back in 2017 and I've been using it ever since. Assertiveness In a previous role, I was the manager of a test team and organised training for the whole ...

Hiccupps

Search This Blog