I emailed you the capture and gdb session. Thanks & Cheers,
Toby On Sep 25, 2013, at 1:55 PM, Luca Deri <[email protected]> wrote: > Toby > I have mountain lion and it works for me. I believe you have a packet that > causes the HTTP decoder to fail. Can you please capture some traffic (full > packets) while ntopng is running so that we can try to reproduce the bug > passing the pcap with ail -i? > > Thanks Luca > > On Sep 25, 2013, at 6:58 PM, Toby Simmons <[email protected]> wrote: > >> I'm getting a crash within a few seconds of launching using SVN 6812 (both >> ntopng and nDPI) on Mountain Lion, 10.8.5. >> >> (gdb) run --interface en3 --local-networks >> "191.1.1.0/24,10.0.0.0/8,172.16.1.0/24" --dont-change-user --dns-mode 1 >> --http-port 3000 --data-dir data --callbacks-dir scripts/callbacks >> --httpdocs-dir httpdocs --scripts-dir scripts --verbose --dump-flows >> €** SNIP ** >> Program received signal EXC_BAD_ACCESS, Could not access memory. >> Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 >> [Switching to process 17104 thread 0x2203] >> check_content_type_and_change_protocol (ndpi_struct=0xb06219c0, flow=0x29) >> at http.c:608 >> 608 end[0] = '\0'; >> (gdb) bt >> #0 check_content_type_and_change_protocol (ndpi_struct=0xb06219c0, >> flow=0x29) at http.c:608 >> #1 0x00000001000690be in ndpi_search_http_tcp (ndpi_struct=0x852a00, >> flow=0x2aafa00) at http.c:891 >> #2 0x000000010005b5f2 in ndpi_detection_process_packet >> (ndpi_struct=0x852a00, flow=0x2aafa00, packet=0x0, current_tick=2959218832, >> src=0x1bb, dst=0x31767d0, packetlen=41) at ndpi_main.c:3956 >> #3 0x000000010003f961 in NetworkInterface::packet_processing >> (this=0x810c00, when=1380127167, time=1380127167349, eth=0x73a422, >> vlan_id=0, iph=0x73a430, ip6=0x0, ipsize=1180, rawsize=1194) at >> NetworkInterface.cpp:357 >> #4 0x00000001000400df in NetworkInterface::packet_dissector (this=0x810c00, >> h=0xb0621dc0, packet=0x73a422 "") at NetworkInterface.cpp:491 >> #5 0x0000000100046bd7 in packetPollLoop (ptr=0x810c00) at >> PcapInterface.cpp:86 >> #6 0x00007fff8d5ec772 in _pthread_start () >> #7 0x00007fff8d5d91a1 in thread_start () >> Current language: auto; currently c >> (gdb) f 0 >> #0 check_content_type_and_change_protocol (ndpi_struct=0xb06219c0, >> flow=0x29) at http.c:608 >> 608 end[0] = '\0'; >> (gdb) f 1 >> #1 0x00000001000690be in ndpi_search_http_tcp (ndpi_struct=0x852a00, >> flow=0x2aafa00) at http.c:891 >> 891 check_content_type_and_change_protocol(ndpi_struct, flow); >> €(gdb) f 0 >> #0 check_content_type_and_change_protocol (ndpi_struct=0xb06219c0, >> flow=0x29) at http.c:608 >> 608 end[0] = '\0'; >> (gdb) p flow >> $3 = (struct ndpi_flow_struct *) 0x29 >> (gdb) p *flow >> Cannot access memory at address 0x29 >> (gdb) f 1 >> #1 0x00000001000690be in ndpi_search_http_tcp (ndpi_struct=0x852a00, >> flow=0x2aafa00) at http.c:891 >> 891 check_content_type_and_change_protocol(ndpi_struct, flow); >> (gdb) p *flow >> $4 = { >> detected_protocol_stack = {7, 0, 0}, >> protocol_stack_info = { >> entry_is_real_protocol = 1 '\001', >> current_stack_size_minus_one = 1 '\001' >> }, >> init_finished = 1 '\001', >> setup_packet_direction = 0 '\0', >> next_tcp_seq_nr = {2032705124, 1107734057}, >> l4 = { >> tcp = { >> flash_bytes = 0, >> smtp_command_bitmask = 0, >> pop_command_bitmask = 0, >> qq_nxt_len = 0, >> tds_login_version = 0 '\0', >> pplive_next_packet_size = "\000", >> irc_stage = 0 '\0', >> irc_port = 0 '\0', >> gnutella_msg_id = "\000\000", >> edk_ext = 0, >> irc_3a_counter = 0, >> irc_stage2 = 0, >> irc_direction = 0, >> irc_0x1000_full = 0, >> winmx_stage = 0, >> soulseek_stage = 0, >> filetopia_stage = 0, >> tds_stage = 0, >> usenet_stage = 0, >> imesh_stage = 0, >> ftp_codes_seen = 0, >> ftp_client_direction = 0, >> http_setup_dir = 1, >> http_stage = 0, >> http_empty_line_seen = 0, >> http_wait_for_retransmission = 0, >> flash_stage = 0, >> gnutella_stage = 0, >> mms_stage = 0, >> yahoo_sip_comm = 0, >> yahoo_http_proxy_stage = 0, >> msn_stage = 0, >> msn_ssl_ft = 0, >> ssh_stage = 0, >> vnc_stage = 0, >> steam_stage = 0, >> telnet_stage = 0, >> ssl_stage = 0 '\0', >> ssl_seen_client_cert = 0 '\0', >> ssl_seen_server_cert = 0 '\0', >> postgres_stage = 0, >> ddlink_server_direction = 0, >> seen_syn = 1, >> seen_syn_ack = 1, >> seen_ack = 1, >> icecast_stage = 0, >> dofus_stage = 0, >> fiesta_stage = 0, >> wow_stage = 0, >> veoh_tv_stage = 0, >> shoutcast_stage = 0, >> rtp_special_packets_seen = 0, >> mail_pop_stage = 0, >> mail_imap_stage = 0, >> skype_packet_id = 0 '\0', >> citrix_packet_id = 0 '\0', >> lotus_notes_packet_id = 0 '\0', >> teamviewer_stage = 0 '\0' >> }, >> udp = { >> battlefield_msg_id = 0, >> snmp_msg_id = 0, >> battlefield_stage = 0, >> snmp_stage = 0, >> ppstream_stage = 0, >> halflife2_stage = 0, >> tftp_stage = 0, >> aimini_stage = 0, >> xbox_stage = 0, >> wsus_stage = 0, >> skype_packet_id = 0 '\0', >> teamviewer_stage = 0 '\0' >> } >> }, >> host_server_name = '\0' <repeats 255 times>, >> detected_os = '\0' <repeats 31 times>, >> excluded_protocol_bitmask = { >> bitmask = {0, 0, 0} >> }, >> packet_counter = 1, >> packet_direction_counter = {1, 0}, >> byte_counter = {1128, 0}, >> bittorrent_stage = 0 '\0', >> edk_stage = 0, >> directconnect_stage = 0, >> sip_yahoo_voice = 0, >> http_detected = 1, >> rtsprdt_stage = 0, >> rtsp_control_flow = 0, >> yahoo_detection_finished = 0, >> pplive_stage = 0, >> zattoo_stage = 0, >> qq_stage = 0, >> thunder_stage = 0, >> oscar_ssl_voice_stage = 0, >> oscar_video_voice = 0, >> florensia_stage = 0, >> packet = { >> iph = 0x73a430, >> iphv6 = 0x0, >> tcp = 0x73a444, >> udp = 0x0, >> generic_l4_ptr = 0x0, >> payload = 0x73a464 "GET >> /static/arkonline/images/emailupdates/new/middayNews_hdr.jpg >> HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; >> Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC >> LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; >> OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook >> 14.0.7105; ms-office; MSOffice 14)\r\nAccept-Encoding: gzip, >> deflate\r\nHost: media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\ >> r\nVia: 1.1 wbfil2.org.carkw.com (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: >> 192.168.10.162\r\nX-Forwarded-For: 192.168.10.162\r\nCache-Control: >> max-age=259200\r\nConnection: keep-alive\r\n\r\n?\021CR?U\005", >> tick_timestamp = 1442665333, >> detected_protocol_stack = {7, 0, 0}, >> detected_subprotocol_stack = "\000\000", >> real_protocol_read_only = 0, >> protocol_stack_info = { >> entry_is_real_protocol = 1 '\001', >> current_stack_size_minus_one = 1 '\001' >> }, >> line = {{ >> ptr = 0x73a464 "GET >> /static/arkonline/images/emailupdates/new/middayNews_hdr.jpg >> HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; >> Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC >> LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; >> OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook >> 14.0.7105; ms-office; MSOffice 14)\r\nAccept-Encoding: gzip, >> deflate\r\nHost: media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\ >> r\nVia: 1.1 wbfil2.org.carkw.com (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: >> 192.168.10.162\r\nX-Forwarded-For: 192.168.10.162\r\nCache-Control: >> max-age=259200\r\nConnection: keep-alive\r\n\r\n?\021CR?U\005", >> len = 73 >> }, { >> ptr = 0x73a4af "Accept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; >> MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR >> 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; >> OfficeLiveConnector.1.4; OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; >> InfoPath.3; Microsoft Outlook 14.0.7105; ms-office; MSOffice >> 14)\r\nAccept-Encoding: gzip, deflate\r\nHost: >> media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168 >> .10.162\r\nX-Forwarded-For: 192.168.10.162\r\nCache-Control: >> max-age=259200\r\nConnection: keep-alive\r\n\r\n?\021CR?U\005", >> len = 11 >> }, { >> ptr = 0x73a4bc "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows >> NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; >> .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; >> OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook >> 14.0.7105; ms-office; MSOffice 14)\r\nAccept-Encoding: gzip, >> deflate\r\nHost: media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Fo >> rwarded-For: 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 302 >> }, { >> ptr = 0x73a5ec "Accept-Encoding: gzip, deflate\r\nHost: >> media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: >> 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 30 >> }, { >> ptr = 0x73a60c "Host: media.arkansasonline.com\r\nCookie: >> OAX=RllA0VHwFicACzCV; __qca=P0-1349696484-1374688810440; >> s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: >> 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 30 >> }, { >> ptr = 0x73a62c "Cookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: >> 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 499 >> }, { >> ptr = 0x73a821 "Via: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: >> 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 51 >> }, { >> ptr = 0x73a856 "CUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: >> 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 26 >> }, { >> ptr = 0x73a872 "X-Forwarded-For: 192.168.10.162\r\nCache-Control: >> max-age=259200\r\nConnection: keep-alive\r\n\r\n?\021CR?U\005", >> len = 31 >> }, { >> ptr = 0x73a893 "Cache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 29 >> }, { >> ptr = 0x73a8b2 "Connection: keep-alive\r\n\r\n?\021CR?U\005", >> len = 22 >> }, { >> ptr = 0x73a8ca "\r\n?\021CR?U\005", >> len = 2 >> }, { >> ptr = 0x0, >> len = 0 >> } <repeats 188 times>}, >> unix_line = {{ >> ptr = 0x0, >> len = 0 >> } <repeats 200 times>}, >> host_line = { >> ptr = 0x73a612 "media.arkansasonline.com\r\nCookie: >> OAX=RllA0VHwFicACzCV; __qca=P0-1349696484-1374688810440; >> s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: >> 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 24 >> }, >> referer_line = { >> ptr = 0x0, >> len = 0 >> }, >> content_line = { >> ptr = 0x0, >> len = 0 >> }, >> accept_line = { >> ptr = 0x73a4b7 "*/*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; >> Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC >> LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; >> OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook >> 14.0.7105; ms-office; MSOffice 14)\r\nAccept-Encoding: gzip, >> deflate\r\nHost: media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\ >> nX-Forwarded-For: 192.168.10.162\r\nCache-Control: >> max-age=259200\r\nConnection: keep-alive\r\n\r\n?\021CR?U\005", >> len = 3 >> }, >> user_agent_line = { >> ptr = 0x73a4c8 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; >> Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR >> 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; >> OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook >> 14.0.7105; ms-office; MSOffice 14)\r\nAccept-Encoding: gzip, >> deflate\r\nHost: media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: 1 >> 92.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 290 >> }, >> http_url_name = { >> ptr = 0x73a468 >> "/static/arkonline/images/emailupdates/new/middayNews_hdr.jpg >> HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; >> Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC >> LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; >> OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook >> 14.0.7105; ms-office; MSOffice 14)\r\nAccept-Encoding: gzip, >> deflate\r\nHost: media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia >> : 1.1 wbfil2.org.carkw.com (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: >> 192.168.10.162\r\nX-Forwarded-For: 192.168.10.162\r\nCache-Control: >> max-age=259200\r\nConnection: keep-alive\r\n\r\n?\021CR?U\005", >> len = 60 >> }, >> http_encoding = { >> ptr = 0x0, >> len = 0 >> }, >> http_transfer_encoding = { >> ptr = 0x0, >> len = 0 >> }, >> http_contentlen = { >> ptr = 0x0, >> len = 0 >> }, >> http_cookie = { >> ptr = 0x73a634 "OAX=RllA0VHwFicACzCV; __qca=P0-1349696484-1374688810440; >> s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\nVia: 1.1 wbfil2.org.carkw.com >> (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: 192.168.10.162\r\nX-Forwarded-For: >> 192.168.10.162\r\nCache-Control: max-age=259200\r\nConnection: >> keep-alive\r\n\r\n?\021CR?U\005", >> len = 491 >> }, >> http_x_session_type = { >> ptr = 0x0, >> len = 0 >> }, >> server_line = { >> ptr = 0x0, >> len = 0 >> }, >> http_method = { >> ptr = 0x73a464 "GET >> /static/arkonline/images/emailupdates/new/middayNews_hdr.jpg >> HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; >> Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC >> LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; >> OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; InfoPath.3; Microsoft Outlook >> 14.0.7105; ms-office; MSOffice 14)\r\nAccept-Encoding: gzip, >> deflate\r\nHost: media.arkansasonline.com\r\nCookie: OAX=RllA0VHwFicACzCV; >> __qca=P0-1349696484-1374688810440; s_lastvisit=1380041387039; >> __utma=116532950.637762389.1374688811.1380024156.1380041386.36; >> __utmz=116532950.1374688811.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> elAuth=gary.pittman%40carkw.com; >> elAuthX=N%25A4%255ET%2587%25E1z%25F7P%25F2%2507_J%25CD%2501%25EBg%25F0%25D3%2502%25FB%2516J%252C%251A%2512%25C7%25D3%25EA%25EF%25AB%251F; >> sessionid=e0034baa977b2c6e1df9a299b4cba912; s_vnum=1382616156136%26vn%3D2; >> s_nr=1380024156136\r\ >> nVia: 1.1 wbfil2.org.carkw.com (http_scan_byf/3.3.1)\r\nCUDA_CLIIP: >> 192.168.10.162\r\nX-Forwarded-For: 192.168.10.162\r\nCache-Control: >> max-age=259200\r\nConnection: keep-alive\r\n\r\n?\021CR?U\005", >> len = 3 >> }, >> http_response = { >> ptr = 0x0, >> len = 0 >> }, >> l3_packet_len = 1180, >> l4_packet_len = 1160, >> payload_packet_len = 1128, >> actual_payload_len = 1128, >> num_retried_bytes = 0, >> parsed_lines = 12, >> parsed_unix_lines = 0, >> empty_line_position = 0, >> tcp_retransmission = 0 '\0', >> l4_protocol = 6 '\006', >> packet_lines_parsed_complete = 1 '\001', >> packet_unix_lines_parsed_complete = 0 '\0', >> empty_line_position_set = 0 '\0', >> packet_direction = 0 '\0', >> ssl_certificate_detected = 0 '\0', >> ssl_certificate_num_checks = 0 '\0' >> }, >> flow = 0x0, >> src = 0x31766c0, >> dst = 0x31767d0 >> } >> € >> >> >> _______________________________________________ >> Ntop-dev mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-dev > > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
