Wireshark-users: Re: [Wireshark-users] invalid request
From: mustafa <mustafarajimusa@xxxxxxxxx>
Date: Wed, 14 Mar 2012 09:42:14 +0300
On 3/14/2012 9:34 AM, Guy Harris wrote:
On Mar 13, 2012, at 11:20 PM, mustafa wrote:

*Internet Protocol, Src: 192.168.40.3 (192.168.40.3), Dst: 10.10.10(10.10.10.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 96
Identification: 0x23e0 (9184)
Flags: 0x02 (Don't Fragment
Fragment offset: 0
Time to live : 127
Protocol : TCP (6)
Header checksum: 0xdacd [correct]
source 10.10.10.53 (10.10.10.53
Destination: 192.168.40.3 (192.168.40.3)

*Transmission Control Protocol, Src Port:49869 (49869), Dst Port: http (80), seq:
Source port: 49869 (49869)
Destination port: http (80)
[Stream index: 240]
Sequence number: 1 (relative squence number)
[NEXT squence number: 57 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
window size: 17520 (scaled)
Checksum: 0xba28 [validation disabled]
[SEQ/ACK analysis]

*Hypertext Transfer Protocol
  *DATA (56 bytes)
   Data:0569ff24fdd6dbd18ffe4d2f2fffaa9020alae217a53923a..
    [Length: 56]
OK, so the two sequence numbers indicate that there should, in fact, be 56 bytes of data in the TCP segment.

If that's the *first* TCP segment sent from host 192.168.40.3 port 49869 to host 10.10.10.53 port 80, then that is reported by Wireshark as an invalid request, and rejected by Squid as an invalid request, because it *IS* an invalid request!  It looks like a bunch of random binary data, but an HTTP request needs to look like

	{command} {path} HTTP/1.1

or something such as that, for example

	GET / HTTP/1.1

Is somebody trying to send encrypted HTTP-over-SSL/HTTP-over-TLS to port 80?
it might be the problem is sending ssl over http because i configure squid in the intercept mode, but squid know how to deal with ssl, i want to know what is the cause to block it , or find solution to it using squid
thanks Best regards
___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe