On Mar 13, 2012, at 11:20 PM, mustafa wrote:
> *Internet Protocol, Src: 192.168.40.3 (192.168.40.3), Dst: 10.10.10(10.10.10.53)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> Total Length: 96
> Identification: 0x23e0 (9184)
> Flags: 0x02 (Don't Fragment
> Fragment offset: 0
> Time to live : 127
> Protocol : TCP (6)
> Header checksum: 0xdacd [correct]
> source 10.10.10.53 (10.10.10.53
> Destination: 192.168.40.3 (192.168.40.3)
>
> *Transmission Control Protocol, Src Port:49869 (49869), Dst Port: http (80), seq:
> Source port: 49869 (49869)
> Destination port: http (80)
> [Stream index: 240]
> Sequence number: 1 (relative squence number)
> [NEXT squence number: 57 (relative sequence number)]
> Acknowledgement number: 1 (relative ack number)
> Header length: 20 bytes
> Flags: 0x18 (PSH, ACK)
> window size: 17520 (scaled)
> Checksum: 0xba28 [validation disabled]
> [SEQ/ACK analysis]
>
> *Hypertext Transfer Protocol
> *DATA (56 bytes)
> Data:0569ff24fdd6dbd18ffe4d2f2fffaa9020alae217a53923a..
> [Length: 56]
OK, so the two sequence numbers indicate that there should, in fact, be 56 bytes of data in the TCP segment.
If that's the *first* TCP segment sent from host 192.168.40.3 port 49869 to host 10.10.10.53 port 80, then that is reported by Wireshark as an invalid request, and rejected by Squid as an invalid request, because it *IS* an invalid request! It looks like a bunch of random binary data, but an HTTP request needs to look like
{command} {path} HTTP/1.1
or something such as that, for example
GET / HTTP/1.1
Is somebody trying to send encrypted HTTP-over-SSL/HTTP-over-TLS to port 80?
