In the post we will learn more about working of localtunnel by analyzing request and response between localtunnel server and client using tcpdump. In earlier post we have learned about localtunnel architecture from theoretical perspective however in this article we will take more hands on approach. If you want to follow along then you can install localtunnel and host simple web application from your local computer. This post is divided into setting up monitoring foundation and analyzing actual data. If you don't want to follow along with your own application then you can directly jump to analysis section.
Monitoring Foundation
Get IP Adress of Localtunnel Server
Before analyzing request and response we would need IP Address of localtunnel server. Since we are going to use default server at localtunnel.me we will fetch details with nslookup like below.
$ nslookup localtunnel.me
Non-authoritative answer:
Name: localtunnel.me
Address: 138.197.63.247
Gather data with tcpdump
Once we have above IP we can redirect request and response data between local computer and localtunnel server into the file.
Note that once you start collecting data do not connect to localtunnel.me from browser or any other mean else you may get unnecessary noise into the data. You would need to sudo before running tcpdump.
$ sudo tcpdump | grep 138.197.63.247 >> lt_data.txt
Above command would keep collecting data into the file lt_data.txt. Later we will monitor this file to analyze collected data. You can also use packet capturing tool like wireshark for this purpose
Register Application with Localtunnel Client
We have hosted small web application locally on port 5000. We will expose this app on localtunnel.
$ lt -p 5000
Above command would give you random subdomain on which your application would be exposed. For advanced setup check all command line options of localtunnel client.
Open Subdomain in Browser
To capture http request and response via tcpdump you can open registered subdomain on same computer or from different computer.
While you follow above steps tcpdump would gather required data into the file. Once you are done with above steps you can stop tcpdump and start analyzing collected data.
Analyzing Collected Data
Registering an Application
Client at 192.168.2.100 uses tcp port 36934 and sends http request to localtunnel server running at 138.197.63.247.
IP 192.168.2.100.36934 > 138.197.63.247.http
Server acknowledges client request.
IP 138.197.63.247.http > 192.168.2.100.36934
Client sends one more HTTP request at localtunnel server to register application at path /?new which translates to http://localtunnel.me/?new.
IP 192.168.2.100.36934 > 138.197.63.247.http:GET /?new HTTP/1.1
Server provides an internal port and subdomain on which it has registered client application in JSON format. Server provides details in HTTP body. (Internal Port returned : 34223)
IP 138.197.63.247.http > 192.168.2.100.36934: HTTP: HTTP/1.1 200 OK
10 Active TCP Connections
Client opens 10 tcp connections on the internal port 34223 of server. Client keep listening on these connections to serve http requests from users.
IP 192.168.2.100.37112 > 138.197.63.247.34223
IP 192.168.2.100.37114 > 138.197.63.247.34223
IP 192.168.2.100.37116 > 138.197.63.247.34223
IP 192.168.2.100.37118 > 138.197.63.247.34223
IP 192.168.2.100.37120 > 138.197.63.247.34223
IP 192.168.2.100.37122 > 138.197.63.247.34223
IP 192.168.2.100.37124 > 138.197.63.247.34223
IP 192.168.2.100.37126 > 138.197.63.247.34223
IP 192.168.2.100.37128 > 138.197.63.247.34223
IP 192.168.2.100.37130 > 138.197.63.247.34223
HTTP Requests and Response
User opens application subdomain in browser which results in https request to localtunnel server.
IP 192.168.2.101.51760 > 138.197.63.247.https
Server replay user request and sends it to client (local computer) using one of the active client tcp connection.
IP 138.197.63.247.34223 > 192.168.2.100.37116
Local computer processes request from server and sends the response.
IP 192.168.2.100.37116 > 138.197.63.247.34223
Server relay back response to user.
IP 138.197.63.247.https >192.168.2.101.51760
Conclusion
Localtunnel server act as a proxy between user and local computer on which actual application is hosted. It uses active client tcp connections to relay requests and responses. Note that If any of the active tcp connection gets dropped then client again opens new tcp connection and always keep 10 active connections with server.