Wireshark mailing list archives

Re: invalid request

From: Guy Harris <guy () alum mit edu>
Date: Tue, 13 Mar 2012 23:34:50 -0700


On Mar 13, 2012, at 11:20 PM, mustafa wrote:

*Internet Protocol, Src: 192.168.40.3 (192.168.40.3), Dst: 10.10.10(10.10.10.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 96
Identification: 0x23e0 (9184)
Flags: 0x02 (Don't Fragment
Fragment offset: 0
Time to live : 127
Protocol : TCP (6)
Header checksum: 0xdacd [correct]
source 10.10.10.53 (10.10.10.53
Destination: 192.168.40.3 (192.168.40.3)

*Transmission Control Protocol, Src Port:49869 (49869), Dst Port: http (80), seq:
Source port: 49869 (49869)
Destination port: http (80)
[Stream index: 240]
Sequence number: 1 (relative squence number)
[NEXT squence number: 57 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
window size: 17520 (scaled)
Checksum: 0xba28 [validation disabled]
[SEQ/ACK analysis]

*Hypertext Transfer Protocol
 *DATA (56 bytes)
  Data:0569ff24fdd6dbd18ffe4d2f2fffaa9020alae217a53923a..
   [Length: 56]


OK, so the two sequence numbers indicate that there should, in fact, be 56 bytes of data in the TCP segment.

If that's the *first* TCP segment sent from host 192.168.40.3 port 49869 to host 10.10.10.53 port 80, then that is 
reported by Wireshark as an invalid request, and rejected by Squid as an invalid request, because it *IS* an invalid 
request!  It looks like a bunch of random binary data, but an HTTP request needs to look like

        {command} {path} HTTP/1.1

or something such as that, for example

        GET / HTTP/1.1

Is somebody trying to send encrypted HTTP-over-SSL/HTTP-over-TLS to port 80?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

invalid request mustafa alhussona (Mar 13)
- Re: invalid request Martin Visser (Mar 13)
- Re: invalid request Guy Harris (Mar 13)
  - Re: invalid request mustafa (Mar 13)
    - Re: invalid request Guy Harris (Mar 13)
    - Re: invalid request mustafa (Mar 13)
    - Re: invalid request Guy Harris (Mar 14)
    - Re: invalid request mustafa (Mar 14)