[Netalyzr] intranet proxy detection gets web server instead of proxy
William Krems
whkrems at gmail.com
Tue Dec 18 21:11:37 PST 2012
Same here 2nd one I received
On Tue, Dec 18, 2012 at 11:06 PM, Eric Herrington <
ericdherringtonjr at gmail.com> wrote:
> I believe you are sending this to the wrong person.
>
>
> On Mon, Dec 17, 2012 at 8:22 AM, Alex Woick <alex at wombaz.de> wrote:
>
>> Christian Kreibich schrieb am 12.12.2012 10:56:
>> > We have the header information in the session transcript, so let us take
>> > a look at what's going on. In the meantime it would be helpful if you
>> > could tell us (e.g. via a tcpdump) what's the content we retrieve from
>> > your webserver. I suppose it's a 404 of some sort?
>> Yes, exactly. Apache acts as if the proxy request is a normal request to
>> the local web server.
>>
>> Frame: Number = 364, Captured Frame Length = 481, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[00-0C-29-F8-28-E0],SourceAddress:[BC-5F-F4-45-83-08]
>> + Ipv4: Src = 10.10.10.14, Dest = 10.10.10.11, Next Protocol = TCP,
>> Packet ID = 9106, Total IP Length = 467
>> + Tcp: Flags=...AP..., SrcPort=52493, DstPort=HTTP(80), PayloadLen=427,
>> Seq=2515443093 - 2515443520, Ack=2358625587, Win=256 (scale factor 0x8)
>> = 65536
>> - Http: Request, GET
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>> Command: GET
>> - URI:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>> Location:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>> ProtocolVersion: HTTP/1.1
>> Host: n2.netalyzr.icsi.berkeley.edu:80
>> UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
>> Gecko/20100101 Firefox/17.0
>> Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: de,en;q=0.5
>> Accept-Encoding: gzip, deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Connection: close
>> HeaderEnd: CRLF
>>
>> Frame: Number = 366, Captured Frame Length = 572, MediaType = ETHERNET
>> + Ethernet: Etype = Internet IP
>>
>> (IPv4),DestinationAddress:[BC-5F-F4-45-83-08],SourceAddress:[00-0C-29-F8-28-E0]
>> + Ipv4: Src = 10.10.10.11, Dest = 10.10.10.14, Next Protocol = TCP,
>> Packet ID = 18040, Total IP Length = 558
>> + Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=52493, PayloadLen=518,
>> Seq=2358625587 - 2358626105, Ack=2515443520, Win=245 (scale factor 0x6)
>> = 15680
>> - Http: Response, HTTP/1.1, Status: Not found, URL:
>>
>> http://n2.netalyzr.icsi.berkeley.edu/conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5
>>
>> ProtocolVersion: HTTP/1.1
>> StatusCode: 404, Not found
>> Reason: Not Found
>> Date: Mon, 17 Dec 2012 13:08:55 GMT
>> Server: Apache/2.2.15 (CentOS)
>> ContentLength: 338
>> Connection: close
>> + ContentType: text/html; charset=iso-8859-1
>> HeaderEnd: CRLF
>> - payload: HttpContentType = text/html; charset=iso-8859-1
>> HtmlElement: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> HtmlElement:
>> <html>
>> HtmlElement: <head>
>> HtmlElement:
>> <title>
>> HtmlElement: 404 Not Found</title>
>> HtmlElement:
>> </head>
>> HtmlElement: <body>
>> HtmlElement:
>> <h1>
>> HtmlElement: Not Found</h1>
>> HtmlElement:
>> <p>
>> HtmlElement: The requested URL
>> /conn/id=43ca208a-9025-9a9af3bb-31a2-47d2-82c5 was not found on this
>> server.</p>
>> HtmlElement:
>> <hr>
>> HtmlElement:
>> <address>
>> HtmlElement: Apache/2.2.15 (CentOS) Server at
>> n2.netalyzr.icsi.berkeley.edu Port 80</address>
>> HtmlElement:
>> </body>
>> HtmlElement: </html>
>> HtmlElement:
>>
>> I made a Microsoft Network monitor dump of one netalyzr session on my
>> Windows machine (the one I run the netalyzr test from). As far as I
>> know, the capture format is readable by many analyzer tools. I included
>> frames from firefox.exe and java.exe. You can download it from here:
>>
>> http://www.wombaz.de/files-to-transfer/netalyzr.cap
>>
>> Tschau
>> Alex
>> _______________________________________________
>> Netalyzr mailing list
>> Netalyzr at mailman.ICSI.Berkeley.EDU
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>>
>
>
> _______________________________________________
> Netalyzr mailing list
> Netalyzr at mailman.ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20121218/20255485/attachment.html
More information about the Netalyzr
mailing list