Wireshark · Ethereal-dev: Re: [Ethereal-dev] Tethereal0911 pbs on http dissector ...

Ethereal-dev: Re: [Ethereal-dev] Tethereal0911 pbs on http dissector ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Thu, 17 Apr 2003 23:20:54 -0700

On Thu, Apr 17, 2003 at 04:06:38PM +0200, rmkml wrote:
> on this file, I found multiple web (80/tcp) trafic sessions :
> 
>   4 07:27:27.124244 217.21.114.138 -> 217.128.40.168 HTTP Continuation
>   7 07:27:47.118987 217.128.40.168 -> 217.21.114.138 HTTP Continuation
>  14 07:27:48.445287 217.21.114.138 -> 217.128.40.168 HTTP Continuation
>  17 07:28:08.434051 217.128.40.168 -> 217.21.114.138 HTTP Continuation
>  24 07:28:09.760728 217.21.114.138 -> 217.128.40.168 HTTP CONNECT
> 64.157.4.84:25 HTTP/1.1
>  26 07:28:09.779377 217.128.40.168 -> 217.21.114.138 HTTP HTTP/1.1 405
> Method Not Allowed
> 
> but two first sessions is not clean, look apache1327 access_log :
> 
> 217.21.114.138 - - [17/Apr/2003:07:27:27 +0200] "\x04\x01" 501 - "-" "-"

Well, in frame 4 of the capture, the machine at 217.21.114.138 sends, as
the first TCP data, 9 bytes - in hex:

	04 01 00 19 40 9d 04 54 00

which aren't a valid HTTP request; that's probably what Apache is
logging.

217.21.114.138 closes its side of the connection in frame 6; in frame 7,
217.128.40.168 replies with an HTML document and no HTTP header,
although the document is a 501 "Method not implemented" error document
(presumably because that string of bytes isn't a valid HTTP method).  I
don't know whether the fact that there's no HTTP header in the reply is
an Apache bug or feature.

> 217.21.114.138 - - [17/Apr/2003:07:27:48 +0200] "\x05\x01" 501 - "-" "-"

That's frame 14 from 217.21.114.138, sending

	05 01 00

and closing its side of the connection in frame 16; the reply in frame
17 is, again, an HTML 501 document with no HTTP header.

The reason why the HTTP dissector reports it as "Continuation" is that
it currently doesn't keep track of the initial sequence number of a
connection and thus doesn't know what the first frame of a connection,
in each direction, is; therefore, it assumes that if it sees something
that doesn't look like an HTTP request or reply, it's data from the
middle of a request or reply, and reports it as a "Continuation".

References:
- [Ethereal-dev] Tethereal0911 pbs on http dissector ...
  - From: rmkml

Prev by Date: Re: [Ethereal-dev] NSIS build patch
Next by Date: [Ethereal-dev] Minor doc updates
Previous by thread: [Ethereal-dev] Tethereal0911 pbs on http dissector ...
Next by thread: [Ethereal-dev] NSIS build patch
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$