rwg, J, and all...
I have worked out some very interesting things from the IIS logs. I was
expecting to see double requests being logged however the ones i found were
not at quite the right times. I double check my findings and discovered
its not friendly ON thats causing it. Its Friendly OFF. I got my snort
results mixed up. This is really annoying!
However it does also make sense. In either case, (friendly on or off) IE
wants to display the error page, for some reason (which is the $64,000
question!). When friendly is ON it just sees this problem, and stops there;
it gives up. When friendly is OFF it retries and sends another request
In summary:
With friendly OFF:
- IE requests the page
- IE sends Accept: */*
- There is obviously a problem with the first request and which causes it
to request again.
- IIS logs this:
date time c-ip cs-username s-ip cs-method cs-uri-stem sc-status
sc-win32-status sc-bytes cs-bytes time-taken cs(User-Agent)
16/03/04 12:10:03 w.x.y.z - a.b.c.d GET /test.asp 200 0 331 168 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0)
16/03/04 12:10:04 w.x.y.z - a.b.c.d GET /test.asp 200 0 331 322 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0)
With friendly ON:
- IE requests the page
- IE sends individual accept types instead of just */* .
- IE gives up and show an error page
- IIS logs this:
date time c-ip cs-username s-ip cs-method cs-uri-stem sc-status
sc-win32-status sc-bytes cs-bytes time-taken cs(User-Agent)
16/03/04 11:13:22 w.x.y.z - a.b.c.d GET /test.asp 200 0 331 168 0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0)
(a.b.c.d = server, w.x.y.z = me)
I still have no idea what the "c6" and "0" mean that are always in the
response from the server??
In case it helps, heres what snort sees (done a different time on different
machine so ignore slight diffs in user agent and time)
GET request with friendly OFF:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+
02/16-17:22:14.502189 a.b.c.d:4199 -> w.x.y.z:80
TCP TTL:128 TOS:0x0 ID:2972 DF
*****PA* Seq: 0xBC7B403B Ack: 0xBB345F2E Win: 0x40B0
GET /test.asp HTTP/1.1..Accept:*/*..Accept-Encoding: gzip,
deflate..User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
Q312461)..Host: w.x.y.z..Connection: Keep-Alive....
GET request with friendly ON:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+
02/16-17:22:31.742331 a.b.c.d:4205 -> w.x.y.z:80
TCP TTL:128 TOS:0x0 ID:3003 DF
*****PA* Seq: 0xBCBEF6CF Ack: 0xC3ACEE62 Win: 0x40B0
GET /test.asp HTTP/1.1..Accept:image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword,
application/x-gsarcade-launch,application/x-shockwave-flash,*/*..Accept-Lang
uage: en-gb..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0; Q312461)..Host: w.x.y.z..Connection:
Keep-Alive
....
Still pretty bizarre isn't it.
rwg - If you can post details about your system i would be interested as
apart from yours, this problem is on every system i have tried so far.
Cheers
Paul
"rwg" wrote:
Greetings Paul:
I tried this code on both IIS5 and IIS 6 servers with Show Friendly
turn on and then turned off. I could not reproduce the error. There
must be more pieces to this puzzle. What version of IIS and browser
are you using? What's in your IIS web logs for these request?
-rwg
This is what I think, not necessarily what is accurate!
-------------------- From: "Paul" <re***************************@hotmail.com>
Newsgroups:
microsoft.public.excel.misc,microsoft.public.inets erver.asp.general,microsof
t.public.inetserver.iis Subject: Friendly HTTP errors causes std error page in IE (no its
not an asp error!) Date: Mon, 15 Mar 2004 09:10:05 -0000 Lines: 50
Message-ID: <c3*************@ID-141222.news.uni-berlin.de>
NNTP-Posting-Host: 212.44.40.42
X-Trace: news.uni-berlin.de 1079341782 67498646 I 212.44.40.42
([141222]) X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-NFilter: 1.2.1-b1
Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed 00.sul.t-online.de!t-onlin
e.de!newsfeed.freenet.de!fu-berlin.de!uni-berlin.de!212.44.40.42! not-for-mail Xref: cpmsftngxa06.phx.gbl
microsoft.public.inetserver.asp.general:268336
microsoft.public.inetserver.iis:298790
microsoft.public.excel.misc:321703 X-Tomcat-NG:
microsoft.public.inetserver.asp.general
I thought this is more of an IE issue but i've had no joy on that
group perhaps somebody here will have a clue.
If i click a link to a web page embedded in Excel (97 OR 2000) i get
the standard error page displayed by IE (you know, the 'cannot find
server or dns error' page).
Turning off 'show friendly http error messages' alleviates this.
(Unfortunately this is the Windows default setting!)
Whats going on?!?!
This is my test.asp page... there isn't a problem without that
cache-control line (which, unfortunately i do need, and its
perfectly valid anyway so i don't see why i should remove it)
<% Response.CacheControl = "no-cache" %>
<HTML>
<HEAD></HEAD>
<BODY>
<P>If you can read this then it worked....</P>
</BODY>
</HTML>
I used snort to look at whats happening on a packet level:
When friendly err messages are ON:
- IE requests the page twice
- IE sends Accept: */*
When friendly err messages are OFF:
- Everything is fine and the packet exchange is as expected.
- It sends individual accept types instead of just */* .
It looks like something is confusing IE and causing it to send out
another request and so it ends up displaying an error page.
F5-refreshing that page does another 'normal' (?) request and
everything goes fine. Therefore friendly messages seems to change
the way IE makes requests...weird huh?!
One other strange thing is the response from the server (every time)
there is are "c6" and "0" and some space characters before and after
<HTML> and </HTML> respectively.
I wonder what these are in there for?
Its the same if pages are served from IIS4 and IIS5, IE going
through a Proxy or not. I can post the snort logs if required.
Can somebody please help - i'm running out of ideas!
Thanks
Paul