Stuck in the Middle

This week I wanted to monitor several pieces of software that talk to one another via HTTP and HTTPS. All are running on the same machine, three are Linux services, and one is a standalone script. I was interested in being able to see all of the communications between them in one place, in time order.

I know a couple of ways of capturing this kind of data: proxying and network sniffing.

My default approach would be to have the applications configured to proxy via Fiddler running on my laptop inside the work network. Easy, right? Err, no, because I had forgotten that the machine in question is on a network that isn't considered secure and firewalls prevent that connection. In my proof of concept experiment, the standalone script just hung failing to find the proxy I had specified. Interesting behaviour, and I later reported it, but not what I needed right then. Next!

As all of the software is on the same machine, capturing network traffic into a pcap file using tcpdump should have been relatively straightforward and I could import it into Fiddler for viewing. Result! Err, no, because HTTPS traffic is not decrypted with this approach so I only got some of the comms. Next!

What if there was something like tcpdump for HTTPS? A bit of googling and I found ssldump. Result! Err, no, because although it was simple to install, I couldn't make it work quickly and the data I was trying to gather was not important enough to invest enormous amounts of time in learning a new tool. (Although knowing that this tool exists might be very useful to me in future.) Next!

Back to proxying. What about if I run a proxy on the machine itself? I remembered playing with mitmproxy a long time ago and its web page says it deals with HTTPS so I installed it. Result! Err, no, because the latest version won't run due to a C library incompatibility on this machine. A quick search on the developer forums suggests that this is a known and accepted issue:

We build our releases using PyInstaller on GitHub CI runners, and that combo doesn't allow us to support earlier glibc versions. Please go bother RedHat.

I have been burned before by trying to upgrade Linux C libraries and, again, today is not the day for deep diving into infrastructure that only facilitates a potentially interesting but not crucial experiment. Next!

Hold on, I'm not ready to give up on mitmproxy yet. Might there be an older version that depends on an earlier C library? Is there a page I can download historical versions from? There is. Result! And this time, after stepping back a major version at a time, I got 2.0 running on the box. Double result! Next!

Next is to repeat the proof of concept test with the standalone script. The script has no proxy configuration options but I know it's running Python's requests library and an earlier search told me that it should respect the Linux HTTP proxy environment variables.

So, in one shell I started mitmdump, a flavour of mitmproxy:

$ ./mitmdump
Proxy server listening at http://0.0.0.0:8080

In another shell, I set the environment variables to point at the proxy's URL and ran the script:

$ export http_proxy=http://0.0.0.0:8080
$ export https_proxy=http://0.0.0.0:8080
$ ./myscript

At this stage, I don't care to know which of the proxy variables requests will respect, so I simply set them both.

Result! HTTPS traffic appears in mitmdump's console and it's the kind of traffic I expect.

127.0.0.1:55984: POST https://myserver:8000/endpoint
              << 201 Created 91b
127.0.0.1:55984: GET https://myserver:8000/endpoint/result_data
              << 200 OK 20b

Next!

Next was to get the various services configured to proxy through the same mitm instance too. Unfortunately I found that they do not have proxy configuration options. I wondered whether they would respect the Linux environment variables but didn't know how to set them in the environments that the services ran in. I pinged the testers for those services in chat and in parallel did some more googling.

It seems that it's possible to set environment variables in an override file per service. Result! So I invoked the service editor and entered the runes required to set the same variables for one of the services:

$ systemctl edit myservice

[Service]
Environment="http_proxy=http://0.0.0.0:8080"
Environment="https_proxy=http://0.0.0.0:8080"

$ systemctl restart myservice

Next!

I ran the script again and this time saw traffic from both it and outbound from the service it was speaking to. Result! I quickly configured the other services in the same way and had the monitoring that I needed: all the traffic from all pieces of the infrastructure I cared about, aggregated in one time-ordered location.

In total, this took about an hour, and I spent another few minutes writing the steps up on our wiki for future reference. (Years ago I set up a wiki page called Log More From ... where we've documented the various tricks we've used over the years to get access to data around our products and tooling.)

A moment of reflection, then: I had a mission here. I didn't state it explicitly, but it was something like this: explore setting up HTTP/HTTPS monitoring using whatever tools work to get inter-application monitoring data for a specific analysis. The experiment I was engaged in was a nice-to-have. I was already reasonably confident that the right functional things were happening, and I had access to HTTP logs for some of the pieces of the infrastructure, so I didn't want this to be a time sink.

This framed the way I approached the problem. I have some background here, so I tried approaches that I was familiar with first. I used something like the plunge-in-and-quit heuristic, which I first read about in Lessons Learned in Software Testing, and which James Bach describes succinctly as:

...pick something that looks hard to do and just attempt to do it right away. It doesn’t matter what you pick. The point is to try to do something now. You can always quit if it’s not getting done.

This mindset helps to stop me from disappearing down intellectually interesting or technically challenging rabbit holes: if it's not working, step back and try another way.

Another thing that helps is having been in these kinds of situations before. My experience helps me to judge when to quit and when to continue plunging. Unfortunately, there's no substitute for experience. And the truth is that the judgements made even with experience can still be wrong: if I'd spent another couple of minutes working out what I was doing wrong with ssldump, perhaps I'd have satisfied my need ten minutes in? Yes, perhaps, or perhaps I'd have burned the whole hour fiddling.

On the whole I'm happy with how this went. I got what I needed in a proportionate time, I learned a little more about mitmproxy, I learned a new trick for configuring the environment of Linux services, and I learned of the existence of ssldump which could be just the tool I need in some future situation. Result!

Image: https://flic.kr/p/uJj1G5
Highlighting: markup.su

Comments

Can Code, Can't Code, Is Useful

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "If testers can’t code, they’re of no use to us" My first reaction is to wonder what you expect from your testers. I am immediately interested in your working context and the way

Meet Me Halfway?

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "Stop answering my questions with questions." Sure, I can do that. In return, please stop asking me questions so open to interpretation that any answer would be almost meaningless and certa

Not Strictly for the Birds

One of my chores takes me outside early in the morning and, if I time it right, I get to hear a charming chorus of birdsong from the trees in the gardens down our road, a relaxing layered soundscape of tuneful calls, chatter, and chirrupping. Interestingly, although I can tell from the number and variety of trills that there must be a large number of birds around, they are tricky to spot. I have found that by staring loosely at something, such as the silhouette of a tree's crown against the slowly brightening sky, I see more birds out of the corner of my eye than if I scan to look for them. The reason seems to be that my peripheral vision picks up movement against the wider background that direct inspection can miss. An optometrist I am not, but I do find myself staring at data a great deal, seeking relationships, patterns, or gaps. I idly wondered whether, if I filled my visual field with data, I might be able to exploit my peripheral vision in that quest. I have a wide monito

Postman Curlections

My team has been building a new service over the last few months. Until recently all the data it needs has been ingested at startup and our focus has been on the logic that processes the data, architecture, and infrastructure. This week we introduced a couple of new endpoints that enable the creation (through an HTTP POST) and update (PUT) of the fundamental data type (we call it a definition ) that the service operates on. I picked up the task of smoke testing the first implementations. I started out by asking the system under test to show me what it can do by using Postman to submit requests and inspecting the results. It was the kinds of things you'd imagine, including: submit some definitions (of various structure, size, intent, name, identifiers, etc) resubmit the same definitions (identical, sharing keys, with variations, etc) retrieve the submitted definitions (using whatever endpoints exist to show some view of them) compare definitions I submitted fro

Testers are Gate-Crashers

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "Testers are the gatekeepers of quality" Instinctively I don't like the sound of that, but I wonder what you mean by it. Perhaps one or more of these? Testers set the quality sta

Vanilla Flavour Testing

I have been pairing with a new developer colleague recently. In our last session he asked me "is this normal testing?" saying that he'd never seen anything like it anywhere else that he'd worked. We finished the task we were on and then chatted about his question for a few minutes. This is a short summary of what I said. I would describe myself as context-driven . I don't take the same approach to testing every time, except in a meta way. I try to understand the important questions, who they are important to, and what the constraints on the work are. With that knowledge I look for productive, pragmatic, ways to explore whatever we're looking at to uncover valuable information or find a way to move on. I write test notes as I work in a format that I have found to be useful to me, colleagues, and stakeholders. For me, the notes should clearly state the mission and give a tl;dr summary of the findings and I like them to be public while I'm working not just w

Build Quality

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "When the build is green, the product is of sufficient quality to release" An interesting take, and one I wouldn't agree with in general. That surprises you? Well, ho

Make, Fix, and Test

A few weeks ago, in A Good Tester is All Over the Place , Joep Schuurkes described a model of testing work based on three axes: do testing yourself or support testing by others be embedded in a team or be part of a separate team do your job or improve the system It resonated with me and the other testers I shared it with at work, and it resurfaced in my mind while I was reflecting on some of the tasks I've picked up recently and what they have involved, at least in the way I've chosen to address them. Here's three examples: Documentation Generation We have an internal tool that generates documentation in Confluence by extracting and combining images and text from a handful of sources. Although useful, it ran very slowly or not at all so one of the developers performed major surgery on it. Up to that point, I had never taken much interest in the tool and I could have safely ignored this piece of work too because it would have been tested by

The Best Laid Test Plans

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "What's the best format for a test plan?" I'll side-step the conversation about what a test plan is and just say that the format you should use is one that works for you, your coll

Test Now

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "When is the best time to test?" Twenty posts in , I hope you're not expecting an answer without nuance? You are? Well, I'll do my best. For me, the best time to test is when there

Hiccupps

Search This Blog