ullix's profile - activity

I had expected wireshark providing an answer, but I have reached my limit in interpreting wireshark's output and don't even know where to look further. I hope you can help.

I have a device, a Geiger counter, which is programmed to issue a HTTP request on my local network to an Apache server on that same network. This server always answers with "400 Bad request". Consistent with that, Apache's error log says: "AH00566: request failed: malformed request line".

Then, using wireshark, I copied the "malformed" line taken from its output, and entered this line into a browser (both Firefox and Chrome used): The server now gives a 200 response, and of course no error. So seemingly the HTTP request is proper. Why is it not when coming from the Geiger counter?

I am attaching the 2 lines from wireshark, the request and the response, fully expanded, hoping that this contains the things I need to look out for. If more/other data are needed, please tell me!

Also, I have now added the mod_log_forensic module to my Apache server. This is supposed to give me all header info before and after processing them. The bummer is, it gives me all header info when the request succeeds, but none whatsoever when it fails as in my cases with "malformed requests". I don't see any options to set for this module :-((

I am confident the answer is in wireshark, but where do I even look?

(Sorry, I am not allowed to attach a file, so I resort to putting the lines here as text)

    HTTP request of device at 10.0.0.42 to server at 10.0.0.20:
====================================================================================================
Frame 67003: 165 bytes on wire (1320 bits), 165 bytes captured (1320 bits) on interface 0
    Interface id: 0 (enp3s0)
        Interface name: enp3s0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep  4, 2021 10:28:38.486223543 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1630744118.486223543 seconds
    [Time delta from previous captured frame: 0.317684532 seconds]
    [Time delta from previous displayed frame: 63.093693181 seconds]
    [Time since reference or first frame: 3654.295052488 seconds]
    Frame Number: 67003
    Frame Length: 165 bytes (1320 bits)
    Capture Length: 165 bytes (1320 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:http]
    [Coloring Rule Name: HTTP]
    [Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: Espressi_36:ac:ba (a0:20:a6:36:ac:ba), Dst: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
    Destination: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
        Address: AsustekC_c3:68:12 (ac:22:0b:c3:68:12)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
        Address: Espressi_36:ac:ba (a0:20:a6:36:ac:ba)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src ...