[Netalyzr] intranet proxy detection gets web server instead of proxy

William Krems whkrems at gmail.com
Tue Dec 18 21:11:37 PST 2012


Same here 2nd one I received


On Tue, Dec 18, 2012 at 11:06 PM, Eric Herrington <
ericdherringtonjr at gmail.com> wrote:

> I believe you are sending this to the wrong person.
>
>
> On Mon, Dec 17, 2012 at 8:22 AM, Alex Woick <alex at wombaz.de> wrote:
>
>> Christian Kreibich schrieb am 12.12.2012 10:56:
>> > We have the header information in the session transcript, so let us take
>> > a look at what's going on. In the meantime it would be helpful if you
>> > could tell us (e.g. via a tcpdump) what's the content we retrieve from
>> > your webserver. I suppose it's a 404 of some sort?
>> Yes, exactly. Apache acts as if the proxy request is a normal request to
>> the local web server.
>>
>>    Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
>> + Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
>> Packet ID = 9106, Total IP Length = 467
>> + Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
>> Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
>> = 65536
>> - Http: Request, GET
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>>      Command: GET
>>    - URI:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>       Location:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>>      ProtocolVersion: HTTP/1.1
>>      Host:  n2.netalyzr.icsi.berkeley.edu:80
>>      UserAgent:  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
>> Gecko/20100101 Firefox/17.0
>>      Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>      Accept-Language:  de,en;q=0.5
>>      Accept-Encoding:  gzip, deflate
>>      Accept-Charset:  ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>      Connection:  close
>>      HeaderEnd: CRLF
>>
>>    Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
>> + Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
>> Packet ID = 18040, Total IP Length = 558
>> + Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
>> Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
>> = 15680
>> - Http: Response, HTTP/1.1, Status: Not found, URL:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>>      ProtocolVersion: HTTP/1.1
>>      StatusCode: 404, Not found
>>      Reason: Not Found
>>      Date:  Mon, 17 Dec 2012 13:08:55 GMT
>>      Server:  Apache/2.2.15 (CentOS)
>>      ContentLength:  338
>>      Connection:  close
>>    + ContentType:  text/html; charset=iso-8859-1
>>      HeaderEnd: CRLF
>>    - payload: HttpContentType =  text/html; charset=iso-8859-1
>>       HtmlElement: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>       HtmlElement:
>> <html>
>>       HtmlElement: <head>
>>       HtmlElement:
>> <title>
>>       HtmlElement: 404 Not Found</title>
>>       HtmlElement:
>> </head>
>>       HtmlElement: <body>
>>       HtmlElement:
>> <h1>
>>       HtmlElement: Not Found</h1>
>>       HtmlElement:
>> <p>
>>       HtmlElement: The requested URL
>> /conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
>> server.</p>
>>       HtmlElement:
>> <hr>
>>       HtmlElement:
>> <address>
>>       HtmlElement: Apache/2.2.15 (CentOS) Server at
>> n2.netalyzr.icsi.berkeley.edu Port 80</address>
>>       HtmlElement:
>> </body>
>>       HtmlElement: </html>
>>       HtmlElement:
>>
>> I made a Microsoft Network monitor dump of one netalyzr session on my
>> Windows machine (the one I run the netalyzr test from). As far as I
>> know, the capture format is readable by many analyzer tools. I included
>> frames from firefox.exe and java.exe. You can download it from here:
>>
>> http://www.wombaz.de/files-to-transfer/netalyzr.cap
>>
>> Tschau
>> Alex
>> _______________________________________________
>> Netalyzr mailing list
>> Netalyzr at mailman.ICSI.Berkeley.EDU
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>>
>
>
> _______________________________________________
> Netalyzr mailing list
> Netalyzr at mailman.ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20121218/20255485/attachment.html 


More information about the Netalyzr mailing list