This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

In "Follow TCP Stream" for http what is the numeric identifier after the 1.1.1.1 as shown below. The destination port I am using is 9999 not 96.

GET / HTTP/1.1
Host: 1.1.1.1:96
User-Agent: Mozilla/5.0 Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close

asked 10 Feb '14, 12:47

r24481's gravatar image

r24481
1111
accept rate: 0%

edited 11 Feb '14, 00:41

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


In "Follow TCP Stream" for http what is the numeric identifier after the 1.1.1.1

That's the port you entered in the URL, like http://1.1.1.1:9000/, at least it should be the port.

What is the port in the TCP header?

Regards
Kurt

permanent link

answered 10 Feb '14, 13:21

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

The URL I am using is http://1.1.1.1:9999 and the trace shows I am using destination port 9999. I only see 96 when looking at the stream and it appears to remain as 96 on subsequent captures.

(10 Feb '14, 13:25) r24481

Can you please post a sample capture file somewhere (Google drive, dropbox, cloudshark.org)

(10 Feb '14, 13:31) Kurt Knochner ♦

BTW: is that a request of a real browser (old Firefox) or another tool (script) that uses that User-Agent: header?

(11 Feb '14, 01:18) Kurt Knochner ♦

The browser will split http://1.1.1.1:9999 into:

GET / HTTP/1.1
Host: 1.1.1.1:9999

Where did you capture the traffic? On the client with the browser? At the server? Or somewhere in between?

Some devices might alter the headers on purpose, think of load-balancers, reverse-proxies, etc. Are there any such devices in your network between the client and the server? Move your capture point from client to server and see where the request has been altered (assuming it leaves the client with the header Host: 1.1.1.1:9999, otherwise it is a problem om the client itself).

permanent link

answered 11 Feb '14, 01:47

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×29
×24

question asked: 10 Feb '14, 12:47

question was seen: 3,154 times

last updated: 11 Feb '14, 01:47

p​o​w​e​r​e​d by O​S​Q​A