Ethereal-dev: [Ethereal-dev] Possible Wrong HTTP decode

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Jan Willem Huijbers" <j.w.huijbers@xxxxxxxxx>
Date: Sun, 10 Mar 2002 21:48:13 +0100
Hi all,

When i was tracing and decoding a HTTP session i noticed a strange packet.
Ethereal decoded the packet as XOT, but in my opinion it is a normal HTTP
packet. Could this be a bug in the decoding?

I have looked on the website to find out were i could submit a bug report.
The closest i have found is this list. Hope you dont mind.

I have compiled the 0.9.2 tar-file on a redhat 7.1 workstation with the
libpcap 7.1 lib.Below the decode of the packet:

Kind regards
Jan Willem Huijbers

Frame 149 (439 on wire, 439 captured)
    Arrival Time: Mar 10, 2002 21:07:04.195238000
    Time delta from previous packet: 0.000000000 seconds
    Time relative to first packet: 10.049693000 seconds
    Frame Number: 149
    Packet Length: 439 bytes
    Capture Length: 439 bytes
Ethernet II
    Destination: 00:00:77:93:d8:2a (e94065.upc-e.chello.nl)
    Source: 00:50:04:22:2d:d6 (e94102.upc-e.chello.nl)
    Type: IP (0x0800)
Internet Protocol, Src Addr: e94102.upc-e.chello.nl (213.93.94.102), Dst
Addr: phwww.netcast.nl (194.151.1.57)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN: 0x00)
        0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 425
    Identification: 0x7df7
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x84bb (correct)
    Source: e94102.upc-e.chello.nl (213.93.94.102)
    Destination: phwww.netcast.nl (194.151.1.57)
Transmission Control Protocol, Src Port: 1998 (1998), Dst Port: http (80),
Seq: 2729921498, Ack: 6772
    Source port: 1998 (1998)
    Destination port: http (80)
    Sequence number: 2729921498
    Next sequence number: 2729921883
    Acknowledgement number: 6772
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 17520
    Checksum: 0x25e3 (correct)
X.25 over TCP
    Version: 18245
    Length: 21536
X.25
    0010 .... .... .... = GFI: 2
        0... .... .... .... = Q Bit: False
        .0.. .... .... .... = D Bit: False
        ..10 .... .... .... = Modulo: 128 (2)
    .... 1111 0110 0111 = Logical Channel: 3943
    0110 011. = P(R): 0x33
    0111 100. = P(S): 0x3c
Data (377 bytes)

0000  00 00 77 93 d8 2a 00 50 04 22 2d d6 08 00 45 08   ..w..*.P."-...E.
0010  01 a9 7d f7 40 00 7f 06 84 bb d5 5d 5e 66 c2 97   ..}.@......]^f..
0020  01 39 07 ce 00 50 a2 b7 4b da 00 00 1a 74 50 18   .9...P..K....tP.
0030  44 70 25 e3 00 00 47 45 54 20 2f 67 66 78 2f 67   Dp%...GET /gfx/g
0040  66 78 5f 6e 69 65 75 77 2f 67 69 66 2e 67 69 66   fx_nieuw/gif.gif
0050  20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70    HTTP/1.1..Accep
0060  74 3a 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 72 3a   t: */*..Referer:
0070  20 68 74 74 70 3a 2f 2f 77 77 77 2e 67 65 6c 64    http://www.geld
0080  65 72 6c 61 6e 64 65 72 2e 6e 6c 2f 43 44 41 2f   erlander.nl/CDA/
0090  72 65 67 69 6f 70 6f 72 74 61 6c 2f 30 2c 32 30   regioportal/0,20
00a0  37 38 2c 31 34 34 34 2c 30 30 2e 68 74 6d 6c 0d   78,1444,00.html.
00b0  0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65   .Accept-Language
00c0  3a 20 6e 6c 0d 0a 41 63 63 65 70 74 2d 45 6e 63   : nl..Accept-Enc
00d0  6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66   oding: gzip, def
00e0  6c 61 74 65 0d 0a 49 66 2d 4d 6f 64 69 66 69 65   late..If-Modifie
00f0  64 2d 53 69 6e 63 65 3a 20 4d 6f 6e 2c 20 31 37   d-Since: Mon, 17
0100  20 4d 61 79 20 31 39 39 39 20 31 32 3a 32 31 3a    May 1999 12:21:
0110  30 31 20 47 4d 54 0d 0a 49 66 2d 4e 6f 6e 65 2d   01 GMT..If-None-
0120  4d 61 74 63 68 3a 20 22 30 2d 33 32 37 2d 33 37   Match: "0-327-37
0130  34 30 30 39 61 64 22 0d 0a 55 73 65 72 2d 41 67   4009ad"..User-Ag
0140  65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30   ent: Mozilla/4.0
0150  20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53    (compatible; MS
0160  49 45 20 35 2e 35 3b 20 57 69 6e 64 6f 77 73 20   IE 5.5; Windows
0170  4e 54 20 35 2e 30 3b 20 54 33 31 32 34 36 31 29   NT 5.0; T312461)
0180  0d 0a 48 6f 73 74 3a 20 77 77 77 2e 67 65 6c 64   ..Host: www.geld
0190  65 72 6c 61 6e 64 65 72 2e 6e 6c 0d 0a 43 6f 6e   erlander.nl..Con
01a0  6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c   nection: Keep-Al
01b0  69 76 65 0d 0a 0d 0a                              ive....