Hi Bar,
On Mon, May 14, 2012 at 03:20:12AM +0300, Bar Ziony wrote:
> Willy,
>
> I tried fetching 10000 packets into a file with tcpdump, then seeing which
> IPs in the haproxy log were doing the BADREQ errors at the time I was
> running tcpdump. I used -A -vvn to see the packets content. This is a
> sample of a packet I see a lot, and I saw the IP+port combination in
> haproxy error log correlating with the same combination in the tcpdump log,
> this is the packet:
> E..([email protected]..:..%.2t.V.m.P.|......P...(d..
>
> There are many more pretty similar. Any idea what is it?
You should dump raw packets. What you have above looks like an IP header
which has been converted to ASCII, it's inexploitable. Please use this
instead :
tcpdump -s0 -nvpi eth0 -w errors.cap port 80
Stop it when you have enough BADREQ and please send errors.cap off-list.
You can also use tcpflow, tshark, wireshark or even strings on the resulting
file.
Regards,
Willy
