Wireshark mailing list archives
Re: invalid request
From: Guy Harris <guy () alum mit edu>
Date: Tue, 13 Mar 2012 23:34:50 -0700
On Mar 13, 2012, at 11:20 PM, mustafa wrote:
*Internet Protocol, Src: 192.168.40.3 (192.168.40.3), Dst: 10.10.10(10.10.10.53) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) Total Length: 96 Identification: 0x23e0 (9184) Flags: 0x02 (Don't Fragment Fragment offset: 0 Time to live : 127 Protocol : TCP (6) Header checksum: 0xdacd [correct] source 10.10.10.53 (10.10.10.53 Destination: 192.168.40.3 (192.168.40.3) *Transmission Control Protocol, Src Port:49869 (49869), Dst Port: http (80), seq: Source port: 49869 (49869) Destination port: http (80) [Stream index: 240] Sequence number: 1 (relative squence number) [NEXT squence number: 57 (relative sequence number)] Acknowledgement number: 1 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) window size: 17520 (scaled) Checksum: 0xba28 [validation disabled] [SEQ/ACK analysis] *Hypertext Transfer Protocol *DATA (56 bytes) Data:0569ff24fdd6dbd18ffe4d2f2fffaa9020alae217a53923a.. [Length: 56]
OK, so the two sequence numbers indicate that there should, in fact, be 56 bytes of data in the TCP segment. If that's the *first* TCP segment sent from host 192.168.40.3 port 49869 to host 10.10.10.53 port 80, then that is reported by Wireshark as an invalid request, and rejected by Squid as an invalid request, because it *IS* an invalid request! It looks like a bunch of random binary data, but an HTTP request needs to look like {command} {path} HTTP/1.1 or something such as that, for example GET / HTTP/1.1 Is somebody trying to send encrypted HTTP-over-SSL/HTTP-over-TLS to port 80? ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- invalid request mustafa alhussona (Mar 13)
- Re: invalid request Martin Visser (Mar 13)
- Re: invalid request Guy Harris (Mar 13)
- Re: invalid request mustafa (Mar 13)
- Re: invalid request Guy Harris (Mar 13)
- Re: invalid request mustafa (Mar 13)
- Re: invalid request Guy Harris (Mar 14)
- Re: invalid request mustafa (Mar 14)
- Re: invalid request mustafa (Mar 13)