Wireshark-users: Re: [Wireshark-users] invalid request

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 13 Mar 2012 18:05:25 -0700
On Mar 13, 2012, at 11:57 AM, mustafa alhussona wrote:

> i installed squid server and i have invalid request, so i decided to check the traffic using the wireshark, please can you tell me what does this line mean 
> 
> [protocols in frame: eth:ip:tcp:http:data]

It means that the packet is an Ethernet packet, containing an IP packet, containing a TCP segment, containing part or all of an HTTP request or response, and the body of the HTTP request or response is something Wireshark can't dissect, so it just shows it as data.

> please what is the meaning of data ok i know the ip:tcp:http is for http request, but what data protocol mean 

It means that Wireshark doesn't know what the contents of the HTTP request are, because it either doesn't know what the content type is or because it doesn't know how to interpret that particular content type, so it just shows it as data.

> and there is a new field describes this data the field called Hypertext Transfer Protocol and contain data of length 56 byte 

Yes, HTTP stands for HyperText Transfer Protocol; the 56 bytes are probably the HTTP request line and message headers.

> why this request is considered invalid request 

We'd have to see the request in order to know why it's considered invalid.

If your Wireshark capture also includes the response, the response might indicate why the request is considered invalid.