[Oisf-users] Error in parsing pcap: SEC_ERR_ALPARSER

Will Metcalf william.metcalf at gmail.com
Thu Mar 18 19:21:01 UTC 2010


Ok, right... I will try and reproduce here.  Thanks for the feedback Geoff!

Regards,

Will

On Thu, Mar 18, 2010 at 2:12 PM, Geoff Whittington
<geoff.whittington at gmail.com> wrote:
> Here is the simple exchange:
>
> Client---> SYN ---> Server
> Client <--- SYN, ACK <--- Server
> Client ----> ACK ---> Server
> Client ---> GET / HTTP/1.1 --> Server
> Client <--- ACK <--- Server
> Client <--- HTTP/1.1 200 OK <--- Server
> Client ---> ACK ---> Server
> Client --> GET HTTP/1.1 ---> Server
> Client <--- HTTP/1.1 200 <--- Server
> Client <--- FIN, ACK <--- Server
> Client ---> ACK ----> Server
> Client ----> RST, ACK ---> Server
>
> On Thu, Mar 18, 2010 at 3:01 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
>> Interesting.... Does the pcap contain the complete tcp session from
>> start to finish?  I will try to recreate here and open a ticket if
>> needed.
>>
>> Regards,
>>
>> Will
>>
>> On Thu, Mar 18, 2010 at 1:56 PM, Geoff Whittington
>> <geoff.whittington at gmail.com> wrote:
>>> Hello,
>>>
>>> I'm getting an error in the HTP module:
>>>
>>> app-layer-htp.c:257: Error in parsing HTTP server response:
>>> htp_response.c: Unable to match response to request.
>>> app-layer-parser.ca:836 Error occured in parsing "http: app layer protocol...."
>>>
>>> Wireshark displays the pcap correctly. However it is different from
>>> the typical HTTP request/response session. The client is re-using the
>>> connection to send another HTTP request, and the server responds
>>> correctly. Is this the root of the problem ?
>>>
>>> Due to copyright issues I will not be able to attach this pcap to the
>>> email. This is a high-level description of the exchange:
>>>
>>> -- snip --
>>> GET / HTTP/1.1
>>> ....
>>> Connection: Keep-Alive
>>>
>>>
>>> HTTP/1.1 200 OK
>>> Content-Length: YY
>>>
>>> **Data**
>>> GET / HTTP/1.1
>>> ...
>>> Connection: Keep-Alive
>>>
>>> HTTP/1.1 200
>>> Content-Length: XX
>>>
>>> **DATA**
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>



More information about the Oisf-users mailing list