TCP Stream HTTP

Question

In "Follow TCP Stream" for http what is the numeric identifier after the 1.1.1.1 as shown below. The destination port I am using is 9999 not 96.

GET / HTTP/1.1
Host: 1.1.1.1:96
User-Agent: Mozilla/5.0 Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close

Answer 1

0

In "Follow TCP Stream" for http what is the numeric identifier after the 1.1.1.1

That's the port you entered in the URL, like http://1.1.1.1:9000/, at least it should be the port.

What is the port in the TCP header?

Regards
Kurt

answered 10 Feb '14, 13:21

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

The URL I am using is http://1.1.1.1:9999 and the trace shows I am using destination port 9999. I only see 96 when looking at the stream and it appears to remain as 96 on subsequent captures.

(10 Feb '14, 13:25) r24481

Can you please post a sample capture file somewhere (Google drive, dropbox, cloudshark.org)

(10 Feb '14, 13:31) Kurt Knochner ♦

BTW: is that a request of a real browser (old Firefox) or another tool (script) that uses that User-Agent: header?

(11 Feb '14, 01:18) Kurt Knochner ♦

Answer 2

The browser will split http://1.1.1.1:9999 into:

GET / HTTP/1.1
Host: 1.1.1.1:9999

Where did you capture the traffic? On the client with the browser? At the server? Or somewhere in between?

Some devices might alter the headers on purpose, think of load-balancers, reverse-proxies, etc. Are there any such devices in your network between the client and the server? Move your capture point from client to server and see where the request has been altered (assuming it leaves the client with the header Host: 1.1.1.1:9999, otherwise it is a problem om the client itself).