This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Multiple IPs in X-Forwarded-For field

0

Hi All,

Like the title says, I have a packets that have multiple IPs in the X-Forwarded-For field. Our public facing IPs and sites are behind Akamai and some of the IPs are from them. This is expected. There are others for another business partner and a few unknowns. However, occasionally I'll see packets with 2 or even 3 IPs in that field.

What does that mean?

My first thought was routing before or after Akamai, but I don't think that is correct.

Thanks in advance!

Rk.

asked 12 Jun '17, 15:17

rkwarner2's gravatar image

rkwarner2
4112
accept rate: 0%

edited 12 Jun '17, 18:41

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


One Answer:

0

See this Wikipedia article, which discusses how the X-Forwarded-For header is used to keep a proxy server from also turning into an anonymizing service. The article states that:

"The general format of the field is:"

X-Forwarded-For: client, proxy1, proxy2

"where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as [the] remote address of the request."

So it looks like the packets with multiple IP addresses in the X-Forwarded-For header are going through multiple proxies or load balancers before reaching the web server.

answered 12 Jun '17, 18:37

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Awesome! Thank you. That answers my question.

(12 Jun '17, 19:36) rkwarner2

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(13 Jun '17, 00:50) grahamb ♦