Re: invalid request

[mustafa <mustafarajimusa () gmail com>]

On 3/14/2012 9:34 AM, Guy Harris wrote:
> On Mar 13, 2012, at 11:20 PM, mustafa wrote:
>
> > *Internet Protocol, Src: 192.168.40.3 (192.168.40.3), Dst: 10.10.10(10.10.10.53)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> > Total Length: 96
> > Identification: 0x23e0 (9184)
> > Flags: 0x02 (Don't Fragment
> > Fragment offset: 0
> > Time to live : 127
> > Protocol : TCP (6)
> > Header checksum: 0xdacd [correct]
> > source 10.10.10.53 (10.10.10.53
> > Destination: 192.168.40.3 (192.168.40.3)
> >
> > *Transmission Control Protocol, Src Port:49869 (49869), Dst Port: http (80), seq:
> > Source port: 49869 (49869)
> > Destination port: http (80)
> > [Stream index: 240]
> > Sequence number: 1 (relative squence number)
> > [NEXT squence number: 57 (relative sequence number)]
> > Acknowledgement number: 1 (relative ack number)
> > Header length: 20 bytes
> > Flags: 0x18 (PSH, ACK)
> > window size: 17520 (scaled)
> > Checksum: 0xba28 [validation disabled]
> > [SEQ/ACK analysis]
> >
> > *Hypertext Transfer Protocol
> >   *DATA (56 bytes)
> >    Data:0569ff24fdd6dbd18ffe4d2f2fffaa9020alae217a53923a..
> >     [Length: 56]
> OK, so the two sequence numbers indicate that there should, in fact, be 56 bytes of data in the TCP segment.
>
> If that's the *first* TCP segment sent from host 192.168.40.3 port 49869 to host 10.10.10.53 port 80, then that is 
> reported by Wireshark as an invalid request, and rejected by Squid as an invalid request, because it *IS* an invalid 
> request!  It looks like a bunch of random binary data, but an HTTP request needs to look like
>
>         {command} {path} HTTP/1.1
>
> or something such as that, for example
>
>         GET / HTTP/1.1
>
> Is somebody trying to send encrypted HTTP-over-SSL/HTTP-over-TLS to port 80?
it might be the problem is sending ssl over http because i configure 
squid in the intercept mode, but squid know how to deal with ssl, i want 
to know what is the cause to block it , or find solution to it using squid
thanks Best regards
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list<wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>               mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe