[Oisf-users] Error in parsing pcap: SEC_ERR_ALPARSER

Geoff Whittington geoff.whittington at gmail.com
Thu Mar 18 19:12:33 UTC 2010


Here is the simple exchange:

Client---> SYN ---> Server
Client <--- SYN, ACK <--- Server
Client ----> ACK ---> Server
Client ---> GET / HTTP/1.1 --> Server
Client <--- ACK <--- Server
Client <--- HTTP/1.1 200 OK <--- Server
Client ---> ACK ---> Server
Client --> GET HTTP/1.1 ---> Server
Client <--- HTTP/1.1 200 <--- Server
Client <--- FIN, ACK <--- Server
Client ---> ACK ----> Server
Client ----> RST, ACK ---> Server

On Thu, Mar 18, 2010 at 3:01 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
> Interesting.... Does the pcap contain the complete tcp session from
> start to finish?  I will try to recreate here and open a ticket if
> needed.
>
> Regards,
>
> Will
>
> On Thu, Mar 18, 2010 at 1:56 PM, Geoff Whittington
> <geoff.whittington at gmail.com> wrote:
>> Hello,
>>
>> I'm getting an error in the HTP module:
>>
>> app-layer-htp.c:257: Error in parsing HTTP server response:
>> htp_response.c: Unable to match response to request.
>> app-layer-parser.ca:836 Error occured in parsing "http: app layer protocol...."
>>
>> Wireshark displays the pcap correctly. However it is different from
>> the typical HTTP request/response session. The client is re-using the
>> connection to send another HTTP request, and the server responds
>> correctly. Is this the root of the problem ?
>>
>> Due to copyright issues I will not be able to attach this pcap to the
>> email. This is a high-level description of the exchange:
>>
>> -- snip --
>> GET / HTTP/1.1
>> ....
>> Connection: Keep-Alive
>>
>>
>> HTTP/1.1 200 OK
>> Content-Length: YY
>>
>> **Data**
>> GET / HTTP/1.1
>> ...
>> Connection: Keep-Alive
>>
>> HTTP/1.1 200
>> Content-Length: XX
>>
>> **DATA**
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



More information about the Oisf-users mailing list