On Thu, Apr 17, 2003 at 04:06:38PM +0200, rmkml wrote:
> on this file, I found multiple web (80/tcp) trafic sessions :
>
> 4 07:27:27.124244 217.21.114.138 -> 217.128.40.168 HTTP Continuation
> 7 07:27:47.118987 217.128.40.168 -> 217.21.114.138 HTTP Continuation
> 14 07:27:48.445287 217.21.114.138 -> 217.128.40.168 HTTP Continuation
> 17 07:28:08.434051 217.128.40.168 -> 217.21.114.138 HTTP Continuation
> 24 07:28:09.760728 217.21.114.138 -> 217.128.40.168 HTTP CONNECT
> 64.157.4.84:25 HTTP/1.1
> 26 07:28:09.779377 217.128.40.168 -> 217.21.114.138 HTTP HTTP/1.1 405
> Method Not Allowed
>
> but two first sessions is not clean, look apache1327 access_log :
>
> 217.21.114.138 - - [17/Apr/2003:07:27:27 +0200] "\x04\x01" 501 - "-" "-"
Well, in frame 4 of the capture, the machine at 217.21.114.138 sends, as
the first TCP data, 9 bytes - in hex:
04 01 00 19 40 9d 04 54 00
which aren't a valid HTTP request; that's probably what Apache is
logging.
217.21.114.138 closes its side of the connection in frame 6; in frame 7,
217.128.40.168 replies with an HTML document and no HTTP header,
although the document is a 501 "Method not implemented" error document
(presumably because that string of bytes isn't a valid HTTP method). I
don't know whether the fact that there's no HTTP header in the reply is
an Apache bug or feature.
> 217.21.114.138 - - [17/Apr/2003:07:27:48 +0200] "\x05\x01" 501 - "-" "-"
That's frame 14 from 217.21.114.138, sending
05 01 00
and closing its side of the connection in frame 16; the reply in frame
17 is, again, an HTML 501 document with no HTTP header.
The reason why the HTTP dissector reports it as "Continuation" is that
it currently doesn't keep track of the initial sequence number of a
connection and thus doesn't know what the first frame of a connection,
in each direction, is; therefore, it assumes that if it sees something
that doesn't look like an HTTP request or reply, it's data from the
middle of a request or reply, and reports it as a "Continuation".