cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
gsr_privado
gsr_privado
Level 8
Report Inappropriate Content
Message 1 of 4
‎09-30-2011 01:34 PM

URL.DestinationIP property

Jump to solution

Hi,

I have this request http. but I need to know what value takes URL.DestinatioIP property for this request.

Ipaddress 200.0.156.42 or localhost?

No.     Time        Source                Destination           Protocol Length Info                                                            Destination Port

    355 6.603447    172.21.23.62          200.0.156.42          HTTP     348    POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1  (text/plain)        http

Frame 355: 348 bytes on wire (2784 bits), 348 bytes captured (2784 bits)

    Arrival Time: Sep 30, 2011 03:18:16.744702000 Hora verano Sudamérica Pacífico

    Epoch Time: 1317363496.744702000 seconds

    [Time delta from previous captured frame: 0.001432000 seconds]

    [Time delta from previous displayed frame: 0.001876000 seconds]

    [Time since reference or first frame: 6.603447000 seconds]

    Frame Number: 355

    Frame Length: 348 bytes (2784 bits)

    Capture Length: 348 bytes (2784 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:tcp:http:data-text-lines]

    [Coloring Rule Name: HTTP]

    [Coloring Rule String: http || tcp.port == 80]

Ethernet II, Src: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a), Dst: Cisco_b2:20:cd (08:17:35:b2:20:cd)

    Destination: Cisco_b2:20:cd (08:17:35:b2:20:cd)

        Address: Cisco_b2:20:cd (08:17:35:b2:20:cd)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a)

        Address: HewlettP_0d:a7:9a (00:16:35:0d:a7:9a)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

Internet Protocol Version 4, Src: 172.21.23.62 (172.21.23.62), Dst: 200.0.156.42 (200.0.156.42)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)

    Total Length: 334

    Identification: 0x6b4f (27471)

    Flags: 0x02 (Don't Fragment)

        0... .... = Reserved bit: Not set

        .1.. .... = Don't fragment: Set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 128

    Protocol: TCP (6)

    Header checksum: 0x66dc [correct]

        [Good: True]

        [Bad: False]

    Source: 172.21.23.62 (172.21.23.62)

    Destination: 200.0.156.42 (200.0.156.42)

Transmission Control Protocol, Src Port: unicontrol (2499), Dst Port: http (80), Seq: 1, Ack: 1, Len: 294

    Source port: unicontrol (2499)

    Destination port: http (80)

    [Stream index: 12]

    Sequence number: 1    (relative sequence number)

    [Next sequence number: 295    (relative sequence number)]

    Acknowledgement number: 1    (relative ack number)

    Header length: 20 bytes

    Flags: 0x18 (PSH, ACK)

        000. .... .... = Reserved: Not set

        ...0 .... .... = Nonce: Not set

        .... 0... .... = Congestion Window Reduced (CWR): Not set

        .... .0.. .... = ECN-Echo: Not set

        .... ..0. .... = Urgent: Not set

        .... ...1 .... = Acknowledgement: Set

        .... .... 1... = Push: Set

        .... .... .0.. = Reset: Not set

        .... .... ..0. = Syn: Not set

        .... .... ...0 = Fin: Not set

    Window size value: 65535

    [Calculated window size: 65535]

    [Window size scaling factor: -2 (no window scaling used)]

    Checksum: 0x99ab [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

    [SEQ/ACK analysis]

        [Bytes in flight: 294]

Hypertext Transfer Protocol

    POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n

        [Expert Info (Chat/Sequence): POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n]

            [Message: POST /cgi-bin/autentia3-tran.fcgi HTTP/1.1\n]

            [Severity level: Chat]

            [Group: Sequence]

        Request Method: POST

        Request URI: /cgi-bin/autentia3-tran.fcgi

        Request Version: HTTP/1.1

    Host: localhost\r\n

    Content-Type: text/plain; charset=utf-8\r\n

    Date: Fri Sep 30 03:18:16 2011\r\n

    CONTENT-LENGTH:       132\r\n

        [Content length: 132]

    \r\n

    [Full request URI: http://localhost/cgi-bin/autentia3-tran.fcgi]

Line-based text data: text/plain

    *\235=IØ\206H¯=`dg&:Ö\016䢸)õ\032RU\037·}<S·Î¶\201AJ3Ã\037}\231ÔJã\025º\227Ì}ÇÍD{\217zP¶y½ßrùÊ=`N\025whe\006Ýï\021O,ða\020ÂÞ07Y\032\233Ewq\034?\224ãK\201\216\217ÚÅÀÑÍzIY}\210\225ò×+C\026(\203ÆW=@Ó\221Á©ð\022_\036\205\005)\212õF

0 Kudos
Reply
1 Solution

Accepted Solutions
gsr_privado
gsr_privado
Level 8
Report Inappropriate Content
Message 4 of 4
‎10-04-2011 08:58 AM

Re: URL.DestinationIP property

Jump to solution

Hi,

I defined the 127.0.0.1 in the Bypass request and works fine,

thanks

View solution in original post

0 Kudos
Reply
3 Replies
ITWebSec
ITWebSec
Level 8
Report Inappropriate Content
Message 2 of 4
‎09-30-2011 03:42 PM

Re: URL.DestinationIP property

Jump to solution

Your client is erroneously defining the Host: header as localhost. This is illegal from an HTTP protocol perspective.

The URL.Desitnation.IP address will always return 127.0.0.1 and not the actual TCP connection's IP address, therefore it cannot be used as a property.

Because the request is actually illegal, MWG will not pass it no matter what. I dare support to prove me wrong.

If you were using explicit proxy, you could bypass it.

If you were using WCCP, you could setup an ACL to prevent requests from going to the proxy entirely.

Since you are using bridge mode, there is nothing you can do.

Bridge mode is never a good idea, ever (for any product i've ever managed)

Message was edited by: ITWebSec on 9/30/11 5:44:08 PM CDT
0 Kudos
Reply
asabban2
asabban2
Level 17
Report Inappropriate Content
Message 3 of 4
‎10-03-2011 01:35 PM

Re: URL.DestinationIP property

Jump to solution

Hello,

when you use WCCP you can have a look at Configuration -> Proxies. There is a checkbox that says: "HTTP(S): Host header has priority over original destination address". This checkbox should help you to define if you want to use the destination IP or Host header as a preference.

Best,

Andre

0 Kudos
Reply
gsr_privado
gsr_privado
Level 8
Report Inappropriate Content
Message 4 of 4
‎10-04-2011 08:58 AM

Re: URL.DestinationIP property

Jump to solution

Hi,

I defined the 127.0.0.1 in the Bypass request and works fine,

thanks

View solution in original post

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC