I had expected wireshark providing an answer, but I have reached my limit in interpreting wireshark's output and don't even know where to look further. I hope you can help.
I have a device, a Geiger counter, which is programmed to issue a HTTP request on my local network to an Apache server on that same network. This server always answers with "400 Bad request". Consistent with that, Apache's error log says: "AH00566: request failed: malformed request line".
Then, using wireshark, I copied the "malformed" line taken from its output, and entered this line into a browser (both Firefox and Chrome used): The server now gives a 200 response, and of course no error. So seemingly the HTTP request is proper. Why is it not when coming from the Geiger counter?
I am attaching the 2 lines from wireshark, the request and the response, fully expanded, hoping that this contains the things I need to look out for. If more/other data are needed, please tell me!
Also, I have now added the mod_log_forensic module to my Apache server. This is supposed to give me all header info before and after processing them. The bummer is, it gives me all header info when the request succeeds, but none whatsoever when it fails as in my cases with "malformed requests". I don't see any options to set for this module :-((
I am confident the answer is in wireshark, but where do I even look?
(Sorry, I am not allowed to attach a file, so I resort to putting the lines here as text)
HTTP request of device at 10.0.0.42 to server at 10.0.0.20:
====================================================================================================
Frame 67003: 165 bytes on wire (1320 bits), 165 bytes captured (1320 bits) on interface 0
Interface id: 0 (enp3s0)
Interface name: enp3s0
Encapsulation type: Ethernet (1)
Arrival Time: Sep 4, 2021 10:28:38.486223543 CEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1630744118.486223543 seconds
[Time delta from previous captured frame: 0.317684532 seconds]
[Time delta from previous displayed frame: 63.093693181 seconds]
[Time since reference or first frame: 3654.295052488 seconds]
Frame Number: 67003
Frame Length: 165 bytes (1320 bits)
Capture Length: 165 bytes (1320 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: Espressi_36:ac:ba (a0:20:a6:36:ac:ba), Dst: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
Destination: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
Address: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
Address: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.42, Dst: 10.0.0.20
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 151
Identification: 0x0006 (6)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 127
Protocol: TCP (6)
Header checksum: 0x271e [validation disabled]
[Header checksum status: Unverified]
Source: 10.0.0.42
Destination: 10.0.0.20
Transmission Control Protocol, Src Port: 17062, Dst Port: 80, Seq: 1, Ack: 1, Len: 111
Source Port: 17062
Destination Port: 80
[Stream index: 347]
[TCP Segment Len: 111]
Sequence number: 1 (relative sequence number)
[Next sequence number: 112 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 2920
[Calculated window size: 2920]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0xf631 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.004491340 seconds]
[Bytes in flight: 111]
[Bytes sent since last PSH flag: 111]
[Timestamps]
[Time since first frame in this TCP stream: 0.322175872 seconds]
[Time since previous frame in this TCP stream: 0.317684532 seconds]
TCP payload (111 bytes)
Hypertext Transfer Protocol
GET /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14 HTTP/1.1\n
[Expert Info (Chat/Sequence): GET /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14 HTTP/1.1\n]
[GET /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14 HTTP/1.1\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14
Request URI Path: /
Request URI Query: AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14
Request URI Query Parameter: AID=0123
Request URI Query Parameter: GID=4567
Request URI Query Parameter: CPM=22
Request URI Query Parameter: ACPM=20.39
Request URI Query Parameter: uSV=0.14
Request Version: HTTP/1.1
Host: 10.0.0.20\r\n
Connection: close\r\n
Accept: */*\r\n
\r\n
[Full request URI: http://10.0.0.20/?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14]
[HTTP request 1/1]
[Response in frame: 67005]
====================================================================================================
====================================================================================================
HTTP response of server at 10.0.0.20 to device at 10.0.0.42 :
====================================================================================================
Frame 67005: 538 bytes on wire (4304 bits), 538 bytes captured (4304 bits) on interface 0
Interface id: 0 (enp3s0)
Interface name: enp3s0
Encapsulation type: Ethernet (1)
Arrival Time: Sep 4, 2021 10:28:38.486469123 CEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1630744118.486469123 seconds
[Time delta from previous captured frame: 0.000198404 seconds]
[Time delta from previous displayed frame: 0.000245580 seconds]
[Time since reference or first frame: 3654.295298068 seconds]
Frame Number: 67005
Frame Length: 538 bytes (4304 bits)
Capture Length: 538 bytes (4304 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http:data-text-lines]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: AsustekC_c3:68:12 (ac:22:0b:c3:68:12), Dst: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
Destination: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
Address: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
Address: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.20, Dst: 10.0.0.42
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 524
Identification: 0x8870 (34928)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x9c3e [validation disabled]
[Header checksum status: Unverified]
Source: 10.0.0.20
Destination: 10.0.0.42
Transmission Control Protocol, Src Port: 80, Dst Port: 17062, Seq: 1, Ack: 112, Len: 484
Source Port: 80
Destination Port: 17062
[Stream index: 347]
[TCP Segment Len: 484]
Sequence number: 1 (relative sequence number)
[Next sequence number: 485 (relative sequence number)]
Acknowledgment number: 112 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window size value: 64129
[Calculated window size: 64129]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x25ca [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.004491340 seconds]
[Bytes in flight: 484]
[Bytes sent since last PSH flag: 484]
[Timestamps]
[Time since first frame in this TCP stream: 0.322421452 seconds]
[Time since previous frame in this TCP stream: 0.000198404 seconds]
TCP payload (484 bytes)
Hypertext Transfer Protocol
HTTP/1.1 400 Bad Request\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n]
[HTTP/1.1 400 Bad Request\r\n]
[Severity level: Chat]
[Group: Sequence]
Response Version: HTTP/1.1
Status Code: 400
[Status Code Description: Bad Request]
Response Phrase: Bad Request
Date: Sat, 04 Sep 2021 08:28:38 GMT\r\n
Server: Apache/2.4.18 (Ubuntu)\r\n
Content-Length: 302\r\n
[Content length: 302]
Connection: close\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
\r\n
[HTTP response 1/1]
[Time since request: 0.000245580 seconds]
[Request in frame: 67003]
[Request URI: http://10.0.0.20/?AID=0123&GID=4567&CPM=22&ACPM=20.39&uSV=0.14]
File Data: 302 bytes
Line-based text data: text/html (10 lines)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n
<html><head>\n
<title>400 Bad Request</title>\n
</head><body>\n
<h1>Bad Request</h1>\n
<p>Your browser sent a request that this server could not understand.<br />\n
</p>\n
<hr>\n
<address>Apache/2.4.18 (Ubuntu) Server at meinserver Port 80</address>\n
</body></html>\n