Thank you for your time and explanation here is a response=20
from mozilla which failed. Maybe this will help?
7 12.708273 LOCAL TYAN C103CC3 HTTP Response (to client=20
using port 3150) SOL 64.58.7.154 IP=20
Frame: Base frame properties
Frame: Time of capture =3D 11/10/2003 14:1:33.249
Frame: Time delta from previous physical frame: 0=20
microseconds
Frame: Frame number: 7
Frame: Total frame length: 233 bytes
Frame: Capture frame length: 233 bytes
Frame: Frame data: Number of data bytes remaining =3D=20
233 (0x00E9)
ETHERNET: ETYPE =3D 0x0800 : Protocol =3D IP: DOD Internet=20
Protocol
ETHERNET: Destination address : 00E081103CC3
ETHERNET: .......0 =3D Individual address
ETHERNET: ......0. =3D Universally administered=20
address
ETHERNET: Source address : 00D0B784864A
ETHERNET: .......0 =3D No routing information present
ETHERNET: ......0. =3D Universally administered=20
address
ETHERNET: Frame Length : 233 (0x00E9)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet=20
Protocol)
ETHERNET: Ethernet Data: Number of data bytes=20
remaining =3D 219 (0x00DB)
IP: ID =3D 0x7C; Proto =3D TCP; Len: 219
IP: Version =3D 4 (0x4)
IP: Header Length =3D 20 (0x14)
IP: Precedence =3D Routine
IP: Type of Service =3D Normal Service
IP: Total Length =3D 219 (0xDB)
IP: Identification =3D 124 (0x7C)
IP: Flags Summary =3D 2 (0x2)
IP: .......0 =3D Last fragment in datagram
IP: ......1. =3D Cannot fragment datagram
IP: Fragment Offset =3D 0 (0x0) bytes
IP: Time to Live =3D 128 (0x80)
IP: Protocol =3D TCP - Transmission Control
IP: Checksum =3D 0x69F7
IP: Source Address =3D 64.58.7.156
IP: Destination Address =3D 64.58.7.154
IP: Data: Number of data bytes remaining =3D 199 (0x00C7)
TCP: .AP..., len: 179, seq: 18356498-18356677,=20
ack:4142894198, win:63522, src: 80 dst: 3150=20
TCP: Source Port =3D Hypertext Transfer Protocol
TCP: Destination Port =3D 0x0C4E
TCP: Sequence Number =3D 18356498 (0x1181912)
TCP: Acknowledgement Number =3D 4142894198 (0xF6EF8C76)
TCP: Data Offset =3D 20 (0x14)
TCP: Reserved =3D 0 (0x0000)
TCP: Flags =3D 0x18 : .AP...
TCP: ..0..... =3D No urgent data
TCP: ...1.... =3D Acknowledgement field significant
TCP: ....1... =3D Push function
TCP: .....0.. =3D No Reset
TCP: ......0. =3D No Synchronize
TCP: .......0 =3D No Fin
TCP: Window =3D 63522 (0xF822)
TCP: Checksum =3D 0xE5CA
TCP: Urgent Pointer =3D 0 (0x0)
TCP: Data: Number of data bytes remaining =3D 179=20
(0x00B3)
HTTP: Response (to client using port 3150)
HTTP: Protocol Version =3D HTTP/1.1
HTTP: Status Code =3D Bad Request
HTTP: Reason =3D Bad Request
HTTP: Undocumented Header =3D Content-Type: text/html
HTTP: Undocumented Header Fieldname =3D Content-Type
HTTP: Undocumented Header Value =3D text/html
HTTP: Undocumented Header =3D Content-Length: 87
HTTP: Undocumented Header Fieldname =3D Content-
Length
HTTP: Undocumented Header Value =3D 87
HTTP: Undocumented Header =3D Connection: close
HTTP: Undocumented Header Fieldname =3D Connection
HTTP: Undocumented Header Value =3D close
HTTP: Data: Number of data bytes remaining =3D 87=20
(0x0057)
00000: 00 E0 81 10 3C C3 00 D0 B7 84 86 4A 08 00 45=20
00 .=E0=81.<=C3.=D0=B7??J..E.
00010: 00 DB 00 7C 40 00 80 06 69 F7 40 3A 07 9C 40=20
3A .=DB.|@.?.i=F7@:.?@:
00020: 07 9A 00 50 0C 4E 01 18 19 12 F6 EF 8C 76 50=20
18 .?.P.N....=F6=EF?vP.
00030: F8 22 E5 CA 00 00 48 54 54 50 2F 31 2E 31 20 34 =20
=F8"=E5=CA..HTTP/1.1 4
00040: 30 30 20 42 61 64 20 52 65 71 75 65 73 74 0D 0A =20
00 Bad Request..
00050: 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 =20
Content-Type: te
00060: 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74 65 6E 74 =20
xt/html..Content
00070: 2D 4C 65 6E 67 74 68 3A 20 38 37 0D 0A 43 6F 6E -
Length: 87..Con
00080: 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A =20
nection: close..
00090: 0D 0A 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C=20
74 ..<html><head><t
000A0: 69 74 6C 65 3E 45 72 72 6F 72 3C 2F 74 69 74 6C =20
itle>Error</titl
000B0: 65 3E 3C 2F 68 65 61 64 3E 3C 62 6F 64 79 3E 54 =20
e></head><body>T
000C0: 68 65 20 70 61 72 61 6D 65 74 65 72 20 69 73 20 =20
he parameter is=20
000D0: 69 6E 63 6F 72 72 65 63 74 2E 20 3C 2F 62 6F 64 =20
incorrect. </bod
000E0: 79 3E 3C 2F 68 74 6D 6C 3E =20
y></html> =20
>-----Original Message-----
>Hello,
>
>If the packet below was really sent as the complete=20
request, then the
>problem is completely on the client side. That single=20
packet is not a valid
>request and should cause a 400 error on any server.
>
>My guess is that the client sent the request in two or=20
more packets and you
>just posted the second one. As David has said, a=20
complete capture of the
>request and response will tell definitively if the=20
request is OK or not.
>What you've posted below is not a complete request, and=20
it contains no part
>of the response.
>
>I doubt that IIS Lockdown directly caused this, and I am=20
virtually certain
>that UrlScan did not. I can tell you definitively that=20
neither IIS Lockdown
>nor UrlScan care - or even "know" - what the client is. =20
Your comment that
>they "corrupt everything but IE" is hogwash. If either=20
the Lockdown tool,
>or UrlScan breaks a server (and they definitely can, if=20
they lock down
>something you actually want to serve), IE will be equally=20
affected.
>
>As for the two tools, here's a description of what they=20
really are and what
>they really do:
>
>IIS Lockdown is a simply a tool that automates most of=20
the "best practices"
>of locking down an IIS box on the internet. It removes=20
unnecessary
>components, set ACLs on files, etc. It has no run time=20
component; it's
>purely a configuration tool. Uninstallation of this tool=20
basically goes
>back and un-does the changes it made at installation. =20
Because of the number
>of things it touches (all of which are reported to the=20
administrator, by the
>way), it would be very difficult to manually return the=20
server to the state
>it was in before it was installed, so you should=20
definitely allow it to
>uninstall, unless you have lots of time and understand=20
the report it
>produces at install time.
>
>UrlScan, on the other hand, is a run time tool that=20
inspects each incoming
>request, per the settings in its configuration file. It=20
logs absolutely
>every request it touches and tells you why it touched=20
it. Also, if a
>request comes in and UrlScan doesn't reject it, then that=20
request is passed
>on absolutely unmodified. If you want to manually remove=20
UrlScan, you can
>just use the IIS MMC snap-in to remove it from the global=20
filter list and
>then restart IIS. Once you've done this, it is 100%=20
impossible for UrlScan
>to have any effect on your server.
>
>There is only one scenario in which UrlScan will cause a=20
400 response.
>Specifically, if you tell UrlScan to remove or alter the=20
server header on a
>response, and UrlScan is unable to do so (which typically=20
happens if your
>server receives either a request that IIS cannot parse,=20
or is an HTTP 0.9
>request), then UrlScan will take over the response (as=20
opposed to modifying
>it) and replace it with a 400 that does not contain a=20
server header. If
>this is happening, then you will see an entry in the=20
UrlScan log that that
>it could not remove the server header from the response=20
to a malformed
>request. If you do not see these log entries, and a=20
netmon trace shows that
>the 400 response contains a server header, then you can=20
be 100% certain,
>that UrlScan - even if it's running - did not result in=20
these 400 responses.
>
>I realize that my response here doesn't fix the actual=20
problem you are
>having. I'm hoping, though, that it serves to remove=20
some of the mystery
>(and apparent distrust) of these two tools. If you can=20
get a more complete
>netmon trace of the problem and post it here, hopefully=20
either David,
>myself, or other members of the community, can help you=20
to get your server
>working again.
>
>Thank you,
>-Wade A. Hilmo,
>-Microsoft
>
><anonymous.DeleteThis@discussions.microsoft.com> wrote in message
>news:0ba801c3aacd$7be3f360$a501280a@phx.gbl...
>I really suspect that the issues lies in the fact that I
>installed IISlockdown and URLScan. I have another iis
>server on my network that does not have the above
>installed on them and things work just fine. It seems
>interesting that these two programs corrupt everything but
>IE on a windows platform. OH and btw I have tried
>uninstalling both of those programs.
>
>
>>-----Original Message-----
>>Somehow, something is trashing the HTTP requests on the
>way to the web
>>server. The only valid value that I'm seeing here from
>your HTTP request
>>is:
>>
>>Content-Length: 52\r\n
>>\r\n
>>Process=3DLog+Me+In&User=3Dtom&Password=3Dtom&b1=3DLog+Me+In
>>
>>The request is missing at least the following:
>>
>>POST /MyPage.asp HTTP/1.0\r\n
>>
>>There's supposed to be more HTTP request headers that's
>apparently garbage
>>in your Trace -- if this is the request that gets to the
>web server, it'd
>>cause a 400 Bad Request.
>>
>>I'd start checking your networking.
>>
>>--=20
>>//David
>>IIS
>>This posting is provided "AS IS" with no warranties, and
>confers no rights.
>>//
>><anonymous.DeleteThis@discussions.microsoft.com> wrote in message
>>news:07c601c3aa04$2b089640$a001280a@phx.gbl...
>>here is a request from ie5.2 on a mac> I'm not really=20
sure
>>what to make of it. Any help would be much appreciated.
>>
>>
>>9 13.459354 003085E596DC LOCAL HTTP Content-length:
>>Request (from client using port 21408) 206.124.10.32 SOL
>>IP
>>Frame: Base frame properties
>> Frame: Time of capture =3D 11/10/2003 13:56:37.463
>> Frame: Time delta from previous physical frame:=20
120173
>>microseconds
>> Frame: Frame number: 9
>> Frame: Total frame length: 128 bytes
>> Frame: Capture frame length: 128 bytes
>> Frame: Frame data: Number of data bytes remaining =3D
>>128 (0x0080)
>>ETHERNET: ETYPE =3D 0x0800 : Protocol =3D IP: DOD Internet
>>Protocol
>> ETHERNET: Destination address : 00D0B784864A
>> ETHERNET: .......0 =3D Individual address
>> ETHERNET: ......0. =3D Universally administered
>>address
>> ETHERNET: Source address : 003085E596DC
>> ETHERNET: .......0 =3D No routing information
>present
>> ETHERNET: ......0. =3D Universally administered
>>address
>> ETHERNET: Frame Length : 128 (0x0080)
>> ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet
>>Protocol)
>> ETHERNET: Ethernet Data: Number of data bytes
>>remaining =3D 114 (0x0072)
>>IP: ID =3D 0xA596; Proto =3D TCP; Len: 114
>> IP: Version =3D 4 (0x4)
>> IP: Header Length =3D 20 (0x14)
>> IP: Precedence =3D Routine
>> IP: Type of Service =3D Normal Service
>> IP: Total Length =3D 114 (0x72)
>> IP: Identification =3D 42390 (0xA596)
>> IP: Flags Summary =3D 2 (0x2)
>> IP: .......0 =3D Last fragment in datagram
>> IP: ......1. =3D Cannot fragment datagram
>> IP: Fragment Offset =3D 0 (0x0) bytes
>> IP: Time to Live =3D 236 (0xEC)
>> IP: Protocol =3D TCP - Transmission Control
>> IP: Checksum =3D 0xC87C
>> IP: Source Address =3D 206.124.10.32
>> IP: Destination Address =3D 64.58.7.156
>> IP: Data: Number of data bytes remaining =3D 94=20
(0x005E)
>>TCP: .AP..., len: 74, seq:2475344921-2475344995,
>>ack:4239387231, win:32768, src:21408 dst: 80
>> TCP: Source Port =3D 0x53A0
>> TCP: Destination Port =3D Hypertext Transfer Protocol
>> TCP: Sequence Number =3D 2475344921 (0x938AC419)
>> TCP: Acknowledgement Number =3D 4239387231 (0xFCAFEA5F)
>> TCP: Data Offset =3D 20 (0x14)
>> TCP: Reserved =3D 0 (0x0000)
>> TCP: Flags =3D 0x18 : .AP...
>> TCP: ..0..... =3D No urgent data
>> TCP: ...1.... =3D Acknowledgement field significant
>> TCP: ....1... =3D Push function
>> TCP: .....0.. =3D No Reset
>> TCP: ......0. =3D No Synchronize
>> TCP: .......0 =3D No Fin
>> TCP: Window =3D 32768 (0x8000)
>> TCP: Checksum =3D 0xE445
>> TCP: Urgent Pointer =3D 0 (0x0)
>> TCP: Data: Number of data bytes remaining =3D 74
>(0x004A)
>>HTTP: Content-length: Request (from client using port
>>21408)
>> HTTP: Request Method =3D Content-length:
>> HTTP: Uniform Resource Identifier =3D 52
>>00000: 00 D0 B7 84 86 4A 00 30 85 E5 96 DC 08 00 45
>>00 .=D0=B7??J.0?=E5?=DC..E.
>>00010: 00 72 A5 96 40 00 EC 06 C8 7C CE 7C 0A 20 40
>>3A .r=A5?@.=EC.=C8|=CE|. @:
>>00020: 07 9C 53 A0 00 50 93 8A C4 19 FC AF EA 5F 50
>>18 .?S .P??=C4.=FC=AF=EA_P.
>>00030: 80 00 E4 45 00 00 43 6F 6E 74 65 6E 74 2D 6C
>>65 ?.=E4E..Content-le
>>00040: 6E 67 74 68 3A 20 35 32 0D 0A 0D 0A 50 72 6F 63
>>ngth: 52....Proc
>>00050: 65 73 73 3D 4C 6F 67 2B 4D 65 2B 49 6E 26 55 73
>>ess=3DLog+Me+In&Us
>>00060: 65 72 3D 74 6F 6D 26 50 61 73 73 77 6F 72 64 3D
>>er=3Dtom&Password=3D
>>00070: 74 6F 6D 26 62 31 3D 4C 6F 67 2B 4D 65 2B 49 6E
>>tom&b1=3DLog+Me+In
>>
>>
>>>-----Original Message-----
>>>Network Trace (i.e. NetMon, a Windows component for
>>server SKUs) will show
>>>whether the request that is sent by the client is truly
>>malformed (as
>>>indicated by a 400 status code).
>>>
>>>--=20
>>>//David
>>>IIS
>>>This posting is provided "AS IS" with no warranties, and
>>confers no rights.
>>>//
>>>"turnit (removethis) @qwest.net"
>><anonymous.DeleteThis@discussions.microsoft.com> wrote
>>>in message news:01a201c3a958$6481cbf0
$a501280a@phx.gbl...
>>>I have a login form that uses the post method to carry
>the
>>>information to the next page. The form works just fine=20
in
>>>ie6.0, but fails in mozilla and fails in ie5.2 on a
>>>mac. "HTTP/1.1 400 Bad Request" was the original error
>msg
>>>now that I reinstalled iislockdown and urscan I get "The
>>>parameter is incorrect." If I use the get method with
>this
>>>form it works just fine on everything. I can't say for
>>>certain but I think this problem started after I
>installed
>>>iislockdown and URLScan. I have since removed these apps
>>>and reinstalled them as noted above. Anybody have any
>>>ideas?
>>>
>>>Hoss
>>>
>>>
>>>.
>>>
>>
>>
>>.
>>
>
>
>.
><!-- ~MESSAGE_AFTER~ -->
>> Stay informed about: HTTP/1.1 400 Bad Request 
FAQ
Profile
Private Messages
Log in
