Question

In the Wireshark Capture.

In frame 126, follow the TCP stream. What is the request that is made to the server?

What response does the server give back?

Based on these messages and others you can see in the packet capture, what would you say is going on? Is this an attack? If so, what type of attack might it be?

No. Time source Destination Protocol Length Info 74 52148 80 SYN] Seq-0 win 29200 Len-0 Mss 1460 SACK PERM 1 Tsval 54972840 Tsecr 0 WS-128 123 0.073997 192.168.12.143 172.19.36.129 TCP 124 0.075432 172.19.36.129 192.168.12.143 60 80 52148 SYN ACK] Seq 0 Ack 1 win 64240 Len 0 MSS 1460 TCP 125 0.075458 54 52148-80 ACK] Seq 1 Ack-1 win-29200 Len-0 192.168.12.143 172.19.36.129 TCP 126 0.075688 192.168.12.143 172.19.36.129 90 52148-800 PSH. ACK] Seq-1 Ack-1 win 29200 Len 36 TCP 127 0.075827 60 80-52148 ACK seq 1 Ack-37 win-64240 Len-0 172.19.36.129 192.168.12.143 TCP 172.19.36.129 128 0.075904 192.168.12.143 TCP 54 52148 80 FIN, ACK] Seq 37 Ack-1 win 29200 Len 0 129 0.076052 60 80-52148 ACK Seq-1 Ack-38 win-64239 Len-0 172.19.36.129 192.168.12.143 TCP 130 0.076273 172.19.36.129 192.168.12.143 537 HTTP/1.1 400 Bad Request (text/html) 131 0.076288 54 52148-80 ACK Seq-38 Ack-484 win-30016 Len-0 192.168.12.143 172.19.36.129 TCP 132 0.076342 172.19.36.129 192.168.12.143 TCP 60 80 52148 [FIN, PSH, ACK] Seq 484 Ack 38 win 64239 Len 0 54 52148-800 ACK Seq-38 Ack-485 Win-30016 Len-0 133 0.076350 192.168.12.143 172.19.36.129 TCP A Wireshark. Follow TCP Stream (tcp.stream eq 11) week6 HTTP /1.1GET hoST: 127.0.0.1. HTTP /1.1 400 Bad Request Date Thu, 30 Apr 2015 18:39:11 GMT Apache/2.4.10 (Ubuntu) Server Content-Length: 301 close Connection Content-Type: text/html; charset iso-8859-1 DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> html <head> <title 400 Bad Request</title head <body> 1 Bad Request</h1> <p Your browser sent a request that this server could not understand.<br </p> Kaddress: Apache/2.4.10 (Ubuntu) Server at 127.0.1.1 Port 80</address> body></html>

Answer 1

1. Handshake request sent to the server, getting response for the same.
2. Server responded as it's a bad request as there is no http acknowledgement available.
3. No it's not an attack. Client is trying to make a http connection with server, but server responded it as bad request as there is no http running on port 80.