|
Analyzing the Capture in Ethereal
The easiest way to analyze a capture in Ethereal is to enable
filtering on only the HTTP traffic. In many cases, this
would not be appropriate, but since we're dealing with FrontPage
here and HTTP traffic, let's hide all of the other stuff that's
going on in the network.
To filter out everything but the HTTP traffic, you simply
enter "http" in the filter dropdown in Ethereal as shown in the
shot below.
Notice that the background of the dropdown is green. When
you entering filter expression in the dialog, the background
color will change to red if the filter expression is invalid and
green when it is valid. Very nice! Notice also that
in the Protocol column, only HTTP is shown.
Now let's build on the knowledge you already have.
Remember that the first thing that happens is a 401 back from
the Web server. Let's have a look at that. Here it
is from the Web server that is hosting the Jimco Software Web site when I
attempt to open http://www.jimcoaddins.com from FrontPage:
I have shrunk some of the columns here so that the data would
nicely fit on this page, but the important information is still
visible. Here you can see a POST to _vti_bin/_vti_aut/author.exe.
This is the request being made by FrontPage for Author access
against the Web site. If you look three lines down, you
can see the 401 coming back from the Web server that says
"Access denied." Let's look at the 401 error more
closely:
Here you can see the Web server reply back with a 401 and two
WWW-Authenticate headers; one for Negotiate and one for NTLM.
You can also see that this response is coming from an IIS 5.0
Web server, so we know that this host is running Windows 2000.
This response tells Wininet that it can reply
back with either Negotiate authentication or NTLM
authentication. Wininet will work from the top down, so it
will send Negotiate if possible in this case.
<Go on to page 4>
|