Wireshark-users: Re: [Wireshark-users] Two http headers in packet?
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 5 Jun 2009 18:35:09 +0200
On Fri, Jun 05, 2009 at 10:24:41AM -0400, Alan Snyder wrote:
> I'm looking at a packet that wireshark interprets as having 2 http
> headers. This packet between a piece of software and a http proxy
> (squid)... i'm trying to debug a connection problem. In wireshark,
> when i look at this first packet which is the http connect, there are
> 2 http headers! the first header lists
> 
> proxy-connect-hostname ...
> proxy-connect-port ...
> 
> ...and the 2nd seems to be the normal http fields...
> 
> CONNECT ...
> Host ...
> Upgrade...
> Connection...
> 
> What i'm trying to figure out is where the first header is coming
> from... looking at the packet i dont see any additional bytes which
> store this data. It seems to be extracted from real header.

If all is well, the proxy-connect-hostname/port headers should be
enclosed in "[...]", which means that the fields are indeed generated by
Wireshark, based on information found in the packet.

> It's
> confusing because it's listed as a completely separate header, after
> the TCP data. Here's the raw packet...
> 
> 0000  00 16 c7 ca a2 3f 00 14  4f 00 f2 72 08 00 45 00   .....?.. O..r..E.
> 0010  00 87 bc 1f 40 00 40 06  48 ee 0a 01 08 f5 0a 05   ....@.@. H.......
> 0020  18 69 ae 9b 76 2a 61 df  ec 85 37 ac b1 56 50 18   .i..v*a. ..7..VP.
> 0030  60 f4 35 dd 00 00 43 4f  4e 4e 45 43 54 20 31 30   `.5...CO NNECT 10
> 0040  2e 31 2e 38 2e 33 36 3a  34 32 36 20 48 54 54 50   .1.8.36: 426 HTTP
> 0050  2f 31 2e 31 0d 0a 48 6f  73 74 3a 20 31 30 2e 31   /1.1..Ho st: 10.1
> 0060  2e 38 2e 33 36 3a 34 32  36 20 0d 0a 55 70 67 72   .8.36:42 6 ..Upgr
> 0070  61 64 65 3a 20 54 4c 53  2f 31 2e 30 0d 0a 43 6f   ade: TLS /1.0..Co
> 0080  6e 6e 65 63 74 69 6f 6e  3a 20 55 70 67 72 61 64   nnection : Upgrad
> 0090  65 0d 0a 0d 0a                                     e....
> 
> Now, I have another packets that is practically identical to this one
> (except for checksums, timestamps, etc), and that one in wireshark
> only shows 1 http header...
> 
> 0000  00 16 c7 ca a2 3f 00 14  4f 00 f2 72 08 00 45 00   .....?.. O..r..E.
> 0010  00 87 bc 37 40 00 40 06  48 d6 0a 01 08 f5 0a 05   ...7@.@. H.......
> 0020  18 69 af 74 76 2a 66 4a  c1 4f 3e ce aa d2 50 18   .i.tv*fJ .O>...P.
> 0030  60 f4 35 dd 00 00 43 4f  4e 4e 45 43 54 20 31 30   `.5...CO NNECT 10
> 0040  2e 31 2e 38 2e 33 36 3a  34 32 36 20 48 54 54 50   .1.8.36: 426 HTTP
> 0050  2f 31 2e 31 0d 0a 48 6f  73 74 3a 20 31 30 2e 31   /1.1..Ho st: 10.1
> 0060  2e 38 2e 33 36 3a 34 32  36 20 0d 0a 55 70 67 72   .8.36:42 6 ..Upgr
> 0070  61 64 65 3a 20 54 4c 53  2f 31 2e 30 0d 0a 43 6f   ade: TLS /1.0..Co
> 0080  6e 6e 65 63 74 69 6f 6e  3a 20 55 70 67 72 61 64   nnection : Upgrad
> 0090  65 0d 0a 0d 0a                                     e....
> 
> ... it's the same http connect to the same proxy from the same host,
> so with respect to IP and TCP they're basically the same. I've been
> googling around for some insight but it's hard to google "http" since
> any urls listed in a web page are a match... uggh!

They should be listed the same indeed. The reason for the extra HTTP
header is that when the proxied connection is using the SSL protocol
after the initial HTTP connection, you are still able to filter on the
destination server ip and port.

Could you provide a capture file with two tcp sessions (one with one
header, the other with two headers)? Then I can have a look at the
different behavior.

(I used text2pcap on your text output, but then the behavior is not
visible unfortunately)

Cheers,
     Sake