Wireshark-users: Re: [Wireshark-users] invalid request

From: mustafa <mustafarajimusa@xxxxxxxxx>
Date: Wed, 14 Mar 2012 09:20:24 +0300
On 3/14/2012 4:05 AM, Guy Harris wrote:
On Mar 13, 2012, at 11:57 AM, mustafa alhussona wrote:

i installed squid server and i have invalid request, so i decided to check the traffic using the wireshark, please can you tell me what does this line mean

[protocols in frame: eth:ip:tcp:http:data]
It means that the packet is an Ethernet packet, containing an IP packet, containing a TCP segment, containing part or all of an HTTP request or response, and the body of the HTTP request or response is something Wireshark can't dissect, so it just shows it as data.

please what is the meaning of data ok i know the ip:tcp:http is for http request, but what data protocol mean
It means that Wireshark doesn't know what the contents of the HTTP request are, because it either doesn't know what the content type is or because it doesn't know how to interpret that particular content type, so it just shows it as data.

and there is a new field describes this data the field called Hypertext Transfer Protocol and contain data of length 56 byte
Yes, HTTP stands for HyperText Transfer Protocol; the 56 bytes are probably the HTTP request line and message headers.

why this request is considered invalid request
We'd have to see the request in order to know why it's considered invalid.

If your Wireshark capture also includes the response, the response might indicate why the request is considered invalid.
thank you for your replay the wireshark shows the packet as this , and the problem is that wireshark consider this request as a invalid request and the squid server consider it invalid too, so many invalid request may reduce the performance of the server,

*Frame 4139: 110 bytes on wire (880 bits), 110 bytes captured (880 bits)
Arrival Time: Mar 13, 2012 11:53:02.536140000 AST
Epoch Time: 1331628782.536140000 seconds
Time delta from previous captured frame: 0.008177000 seconds
Time delta from previous displayed frame: 0.008177000 seconds
Time since reference or first frame: 51.377354000 seconds
Frame Number: 4139
Frame Length: 110 bytes (880 bits)
Capture Length: 110 bytes (880 bits)
Frame is marked: False
Frame is ignored: False
Protocols in frame: eth:ip:tcp:http:data
Coloring Rule Name: HTTP
Coloring Rule String: http || tcp.port == 80

*Internet Protocol, Src: 192.168.40.3 (192.168.40.3), Dst: 10.10.10(10.10.10.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 96
Identification: 0x23e0 (9184)
Flags: 0x02 (Don't Fragment
Fragment offset: 0
Time to live : 127
Protocol : TCP (6)
Header checksum: 0xdacd [correct]
source 10.10.10.53 (10.10.10.53
Destination: 192.168.40.3 (192.168.40.3)

*Transmission Control Protocol, Src Port:49869 (49869), Dst Port: http (80), seq:
Source port: 49869 (49869)
Destination port: http (80)
[Stream index: 240]
Sequence number: 1 (relative squence number)
[NEXT squence number: 57 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
window size: 17520 (scaled)
Checksum: 0xba28 [validation disabled]
[SEQ/ACK analysis]

*Hypertext Transfer Protocol
  *DATA (56 bytes)
   Data:0569ff24fdd6dbd18ffe4d2f2fffaa9020alae217a53923a..
    [Length: 56]



___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe