This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP 400 Status Code response from Apache to a client

0

A Wireshark was taken simultanously at both sides:

    ========= Trace at the client ============ 
------------ 08:18:01h --------------------
1181  :01.766 SYN     [204-> 53]
1186  :01.841 SYN,ACK [204 <-53] ACK to segment in frame 1181 
1187  :01.841 ACK     [204-> 53] ACK to segment in frame 1186
1188  :01.842 PSH,ACK [204-> 53] SEQ=1, Next SEQ=1965, ACK=1
1189  :01.917 ACK     [204 <-53] SEQ=1, ACK=1381
1190  :01.917 ACK     [204 <-53] SEQ=1, ACK=1965 ACK to segment in frame 1188

========= Trace at the server ==============
———— 08:18:01h ——————–
11942 :01.998 SYN     [204-> 53]
11943 :01.998 SYN,ACK [204 <-53] ACK to segment in frame 11942
11944 :02.073 ACK     [204-> 53] ACK to segment in frame 11943
11945 :02.074 ACK     [204-> 53] SEQ=1, Next SEQ=1381, ACK=1
11946 :02.074 PSH,ACK [204-> 53] SEQ=1381, Next SEQ=1965, ACK=1
11947 :02.075 ACK     [204-> 53] SEQ=1, ACK=678943619 ACKs a segment not seen
11948 :02.076 ACK     [204-> 53] SEQ=1, Next SEQ=1381, ACK=678953619
11949 :02.076 PSH,ACK [204-> 53] SEQ=1381, Next SEQ=1965, ACK=678953619
11950 :02.076 ACK     [204 <-53] SEQ=1, ACK=1965 ACK to segment in frame 11946
11951  ???
11952  ???
———— 08:23:02h ——————–
12453 02.145 FIN-ACK  [204 <-53]

asked 29 Mar ‘14, 17:45

hflinn's gravatar image

hflinn
11223
accept rate: 0%

edited 29 Mar ‘14, 23:11

mrEEde's gravatar image

mrEEde
3.9k152270

And your question is why does the Apache send an “HTTP-400 Bad Request” message?

(29 Mar ‘14, 22:36) mrEEde

I have uploaded ‘workstation_tcp_stream_16.pcapng’ and ‘Apache_tcp_stream_56.cap’. Note there are 6 network hops from the client workstation to the Apache network side. The client was sending an HTTP POST.

Any help would be appreciated.

(30 Mar ‘14, 10:02) hflinn

You need to provide the full URL to each file.

(30 Mar ‘14, 11:25) mrEEde

[Answer converted to a comment given the way ask.wireshark.org works; Please see the FAQ].

Workstation capture: https://www.cloudshark.org/captures/60d79fdf73de

Apache capture: https://www.cloudshark.org/captures/5f0a5ec3eab2

(30 Mar ‘14, 13:43) hflinn

One Answer:

0

With the information provided - which does not show the HTTP 400 message and is very confusing in the way you provided it (I changed the formatting a bit)- this can only be guesswork. Here's my interpretation of what is happening. There is a device that is duplicating the client's packets which may confuse the server.
alt text

If you need more explanation, please put the traces filtered on the TCP sessions at each side to http://cloudshark.org.

After looking at the full traces I think the problem is an incorrect Content-length field inthe client's POST request.

Both, wireshark and the Apache Webserver, expect more data. The webserver sends back the following message after waiting for 5 minutes.

Failure of server APACHE bridge:
Error reading POST data from client

Wireshark fails to interpret the POST request unless you change preferences for HTTP protocol to not "Reassemble HTTP bodiess ...". Doing so it will find a [truncated] cookie indicating there's more data than what's actually contained in the segment. alt text

answered 29 Mar '14, 23:24

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 30 Mar '14, 22:17