Tech Monger

Programming, Web Development and Computer Science.

Skip to main content| Skip to information by topic

Analyzing Working of Localtunnel with TCPDUMP

In the post we will learn more about working of localtunnel by analyzing request and response between localtunnel server and client using tcpdump. In earlier post we have learned about localtunnel architecture from theoretical perspective however in this article we will take more hands on approach. If you want to follow along then you can install localtunnel and host simple web application from your local computer. This post is divided into setting up monitoring foundation and analyzing actual data. If you don't want to follow along with your own application then you can directly jump to analysis section.

Monitoring Foundation

Get IP Adress of Localtunnel Server

Before analyzing request and response we would need IP Address of localtunnel server. Since we are going to use default server at localtunnel.me we will fetch details with nslookup like below.

$ nslookup localtunnel.me

Non-authoritative answer:
Name:	localtunnel.me
Address: 138.197.63.247

Gather data with tcpdump

Once we have above IP we can redirect request and response data between local computer and localtunnel server into the file.

Note that once you start collecting data do not connect to localtunnel.me from browser or any other mean else you may get unnecessary noise into the data. You would need to sudo before running tcpdump.

$ sudo tcpdump | grep 138.197.63.247 >> lt_data.txt

Above command would keep collecting data into the file lt_data.txt. Later we will monitor this file to analyze collected data. You can also use packet capturing tool like wireshark for this purpose

Register Application with Localtunnel Client

We have hosted small web application locally on port 5000. We will expose this app on localtunnel.

$ lt -p 5000

Above command would give you random subdomain on which your application would be exposed. For advanced setup check all command line options of localtunnel client.

Open Subdomain in Browser

To capture http request and response via tcpdump you can open registered subdomain on same computer or from different computer.

While you follow above steps tcpdump would gather required data into the file. Once you are done with above steps you can stop tcpdump and start analyzing collected data.

Analyzing Collected Data

Registering an Application

Client at 192.168.2.100 uses tcp port 36934 and sends http request to localtunnel server running at 138.197.63.247.

IP 192.168.2.100.36934 > 138.197.63.247.http

Server acknowledges client request.

IP 138.197.63.247.http > 192.168.2.100.36934

Client sends one more HTTP request at localtunnel server to register application at path /?new which translates to http://localtunnel.me/?new.

IP 192.168.2.100.36934 > 138.197.63.247.http:GET /?new HTTP/1.1

Server provides an internal port and subdomain on which it has registered client application in JSON format. Server provides details in HTTP body. (Internal Port returned : 34223)

IP 138.197.63.247.http > 192.168.2.100.36934: HTTP: HTTP/1.1 200 OK

10 Active TCP Connections

Client opens 10 tcp connections on the internal port 34223 of server. Client keep listening on these connections to serve http requests from users.

IP 192.168.2.100.37112 > 138.197.63.247.34223
IP 192.168.2.100.37114 > 138.197.63.247.34223
IP 192.168.2.100.37116 > 138.197.63.247.34223
IP 192.168.2.100.37118 > 138.197.63.247.34223
IP 192.168.2.100.37120 > 138.197.63.247.34223
IP 192.168.2.100.37122 > 138.197.63.247.34223
IP 192.168.2.100.37124 > 138.197.63.247.34223
IP 192.168.2.100.37126 > 138.197.63.247.34223
IP 192.168.2.100.37128 > 138.197.63.247.34223
IP 192.168.2.100.37130 > 138.197.63.247.34223

HTTP Requests and Response

User opens application subdomain in browser which results in https request to localtunnel server.

IP 192.168.2.101.51760 > 138.197.63.247.https

Server replay user request and sends it to client (local computer) using one of the active client tcp connection.

IP 138.197.63.247.34223 > 192.168.2.100.37116

Local computer processes request from server and sends the response.

IP 192.168.2.100.37116 > 138.197.63.247.34223

Server relay back response to user.

IP 138.197.63.247.https >192.168.2.101.51760

Conclusion

Localtunnel server act as a proxy between user and local computer on which actual application is hosted. It uses active client tcp connections to relay requests and responses. Note that If any of the active tcp connection gets dropped then client again opens new tcp connection and always keep 10 active connections with server.

Tagged Under : Linux Localtunnel Open Source Ubuntu Web