RE: [squid-users] Windows XP inconsistent on proxy use? from Rick Matthews on 2003-06-13 (squid-users)

From: Rick Matthews <k5wls@dont-contact.us>
Date: Fri, 13 Jun 2003 22:47:34 -0500

Stephen J. McCracken wrote:
>
> Are you sure that it's IE 6 trying port 80 or might it be some other
> little program on the machine that ignores proxy settings? (e.g.
> spyware program/windows update/messenger/etc)

The box is clean, no spyware.

Here's a better explanation of what I am seeing:

In my surfing I went to www.drudgereport.com. The following was
directed to the proxy at port 3128 and it appears in squid's
access.log:

Jun 13 10:39:31 2003 563 192.168.44.4 \
   TCP_REFRESH_MISS/200 27196 GET \
   http://www.drudgereport.com/ \
   Rick DIRECT/66.28.209.210 text/html
Jun 13 10:39:31 2003 31 192.168.44.4 (trimmed)
Jun 13 10:39:31 2003 18 192.168.44.4
Jun 13 10:39:31 2003 126 192.168.44.4
Jun 13 10:39:32 2003 138 192.168.44.4
Jun 13 10:39:32 2003 363 192.168.44.4
Jun 13 10:39:32 2003 250 192.168.44.4
Jun 13 10:39:32 2003 449 192.168.44.4
Jun 13 10:39:32 2003 720 192.168.44.4

During the same time period I see the following port 80 attempts
blocked and logged by the firewall:

Jun 13 10:39:31 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
192.168.44.4:1209 66.28.209.210:80... SYN
Jun 13 10:39:31 ... 192.168.44.4:1211 66.28.209.210:80 (trimmed)
Jun 13 10:39:34 ... 192.168.44.4:1209 66.28.209.210:80
Jun 13 10:39:34 ... 192.168.44.4:1211 66.28.209.210:80
Jun 13 10:39:40 ... 192.168.44.4:1211 66.28.209.210:80
Jun 13 10:39:40 ... 192.168.44.4:1209 66.28.209.210:80
Jun 13 10:39:54 ... 192.168.44.4:1215 66.28.209.210:80
Jun 13 10:39:57 ... 192.168.44.4:1215 66.28.209.210:80
Jun 13 10:40:03 ... 192.168.44.4:1215 66.28.209.210:80

- - - - - - - - -

I read a news story at www.timesonline.co.uk. The following was
directed to the proxy at port 3128 and it appears in squid's
access.log:

Jun 13 10:42:49 2003 894 192.168.44.4 \
   TCP_MISS/200 26061 GET \
   http://www.timesonline.co.uk/article/0,,1-712552,00.html \
   Rick DIRECT/143.252.78.23 text/html
Jun 13 10:42:50 2003 19 192.168.44.4 (trimmed)
Jun 13 10:42:50 2003 868 192.168.44.4
Jun 13 10:42:51 2003 474 192.168.44.4
Jun 13 10:42:51 2003 449 192.168.44.4
Jun 13 10:42:51 2003 386 192.168.44.4
Jun 13 10:42:51 2003 437 192.168.44.4
Jun 13 10:42:51 2003 49 192.168.44.4
Jun 13 10:42:51 2003 348 192.168.44.4
Jun 13 10:42:56 2003 28 192.168.44.4
Jun 13 10:42:56 2003 42 192.168.44.4

During the same time period I see the following port 80 attempts
blocked and logged by the firewall:

Jun 13 10:42:49 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
192.168.44.4:1222 143.252.78.23:80... SYN
Jun 13 10:42:52 ... 192.168.44.4:1222 143.252.78.23:80 (trimmed)
Jun 13 10:42:58 ... 192.168.44.4:1222 143.252.78.23:80

- - - - - - - - -

I read a news story at www.startribune.com. The following was
directed to the proxy at port 3128 and it appears in squid's
access.log:

Jun 13 10:44:27 2003 499 192.168.44.4 \
   TCP_MISS/200 27638 GET \
   http://www.startribune.com/stories/484/3934421.html \
   Rick DIRECT/132.148.87.30 text/html
Jun 13 10:44:27 2003 190 192.168.44.4 (trimmed)
Jun 13 10:44:27 2003 306 192.168.44.4
Jun 13 10:44:27 2003 161 192.168.44.4
Jun 13 10:44:27 2003 17 192.168.44.4
Jun 13 10:44:28 2003 303 192.168.44.4
Jun 13 10:44:28 2003 269 192.168.44.4
Jun 13 10:44:28 2003 389 192.168.44.4
Jun 13 10:44:28 2003 550 192.168.44.4
Jun 13 10:44:28 2003 301 192.168.44.4
Jun 13 10:44:28 2003 185 192.168.44.4
Jun 13 10:44:28 2003 218 192.168.44.4
Jun 13 10:44:28 2003 343 192.168.44.4
Jun 13 10:44:29 2003 255 192.168.44.4
Jun 13 10:44:29 2003 268 192.168.44.4
Jun 13 10:44:29 2003 212 192.168.44.4
Jun 13 10:44:29 2003 276 192.168.44.4
Jun 13 10:44:29 2003 276 192.168.44.4
Jun 13 10:44:29 2003 211 192.168.44.4
Jun 13 10:44:29 2003 325 192.168.44.4
Jun 13 10:44:29 2003 366 192.168.44.4
Jun 13 10:44:29 2003 416 192.168.44.4

During the same time period I see the following port 80 attempts
blocked and logged by the firewall:

Jun 13 10:44:27 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
192.168.44.4:1233 132.148.87.32:80... SYN
Jun 13 10:44:27 ... 192.168.44.4:1234 132.148.87.32:80 (trimmed)
Jun 13 10:44:30 ... 192.168.44.4:1233 132.148.87.32:80
Jun 13 10:44:30 ... 192.168.44.4:1234 132.148.87.32:80
Jun 13 10:44:35 ... 192.168.44.4:1234 132.148.87.32:80
Jun 13 10:44:35 ... 192.168.44.4:1233 132.148.87.32:80
Jun 13 10:44:47 ... 192.168.44.4:1237 132.148.87.32:80
Jun 13 10:44:47 ... 192.168.44.4:1238 132.148.87.32:80
Jun 13 10:44:50 ... 192.168.44.4:1237 132.148.87.32:80
Jun 13 10:44:50 ... 192.168.44.4:1238 132.148.87.32:80
Jun 13 10:44:57 ... 192.168.44.4:1238 132.148.87.32:80
Jun 13 10:44:57 ... 192.168.44.4:1237 132.148.87.32:80
Jun 13 10:45:08 ... 192.168.44.4:1243 132.148.87.32:80
Jun 13 10:45:08 ... 192.168.44.4:1244 132.148.87.32:80
Jun 13 10:45:11 ... 192.168.44.4:1243 132.148.87.32:80
Jun 13 10:45:11 ... 192.168.44.4:1244 132.148.87.32:80
Jun 13 10:45:17 ... 192.168.44.4:1244 132.148.87.32:80
Jun 13 10:45:17 ... 192.168.44.4:1243 132.148.87.32:80

- - - - - - - - -

I read a news story at www.dailysentinel.com. The following was
directed to the proxy at port 3128 and it appears in squid's
access.log:

Jun 13 10:45:07 2003 518 192.168.44.4 \
   TCP_MISS/200 12768 GET \
   http://www.dailysentinel.com/news/newsfd/auto/feed/news/2003/06/12\
   /1055468403.04889.1676.0222.html \
   Rick DIRECT/64.210.243.28 text/html
Jun 13 10:45:07 2003 313 192.168.44.4 (trimmed)
Jun 13 10:45:07 2003 22 192.168.44.4
Jun 13 10:45:08 2003 305 192.168.44.4
Jun 13 10:45:08 2003 317 192.168.44.4
Jun 13 10:45:08 2003 425 192.168.44.4
Jun 13 10:45:08 2003 222 192.168.44.4
Jun 13 10:45:08 2003 285 192.168.44.4
Jun 13 10:45:08 2003 305 192.168.44.4
Jun 13 10:45:08 2003 383 192.168.44.4
Jun 13 10:45:08 2003 32 192.168.44.4
Jun 13 10:45:08 2003 295 192.168.44.4
Jun 13 10:45:08 2003 235 192.168.44.4
Jun 13 10:45:08 2003 284 192.168.44.4
Jun 13 10:45:08 2003 248 192.168.44.4

During the same time period I see the following port 80 attempts
blocked and logged by the firewall:

Jun 13 10:45:30 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
192.168.44.4:1245 64.210.243.28:80... SYN
Jun 13 10:45:30 ... 192.168.44.4:1246 64.210.243.28:80 (trimmed)
Jun 13 10:45:33 ... 192.168.44.4:1245 64.210.243.28:80
Jun 13 10:45:33 ... 192.168.44.4:1246 64.210.243.28:80
Jun 13 10:45:38 ... 192.168.44.4:1246 64.210.243.28:80
Jun 13 10:45:38 ... 192.168.44.4:1245 64.210.243.28:80
Jun 13 10:45:50 ... 192.168.44.4:1247 64.210.243.28:80
Jun 13 10:45:50 ... 192.168.44.4:1248 64.210.243.28:80
Jun 13 10:45:53 ... 192.168.44.4:1247 64.210.243.28:80
Jun 13 10:45:53 ... 192.168.44.4:1248 64.210.243.28:80
Jun 13 10:46:00 ... 192.168.44.4:1247 64.210.243.28:80
Jun 13 10:46:11 ... 192.168.44.4:1249 64.210.243.28:80
Jun 13 10:46:11 ... 192.168.44.4:1250 64.210.243.28:80
Jun 13 10:46:14 ... 192.168.44.4:1249 64.210.243.28:80
Jun 13 10:46:14 ... 192.168.44.4:1250 64.210.243.28:80
Jun 13 10:46:20 ... 192.168.44.4:1250 64.210.243.28:80
Jun 13 10:46:20 ... 192.168.44.4:1249 64.210.243.28:80
Jun 13 10:46:33 ... 192.168.44.4:1251 64.210.243.28:80
Jun 13 10:46:33 ... 192.168.44.4:1252 64.210.243.28:80
Jun 13 10:46:36 ... 192.168.44.4:1251 64.210.243.28:80
Jun 13 10:46:36 ... 192.168.44.4:1252 64.210.243.28:80
Jun 13 10:46:41 ... 192.168.44.4:1252 64.210.243.28:80
Jun 13 10:46:41 ... 192.168.44.4:1251 64.210.243.28:80
Jun 13 10:46:53 ... 192.168.44.4:1253 64.210.243.28:80
Jun 13 10:46:53 ... 192.168.44.4:1254 64.210.243.28:80
Jun 13 10:46:56 ... 192.168.44.4:1253 64.210.243.28:80
Jun 13 10:46:56 ... 192.168.44.4:1254 64.210.243.28:80
Jun 13 10:47:03 ... 192.168.44.4:1254 64.210.243.28:80
Jun 13 10:47:03 ... 192.168.44.4:1253 64.210.243.28:80
Jun 13 10:47:14 ... 192.168.44.4:1260 64.210.243.28:80
Jun 13 10:47:14 ... 192.168.44.4:1261 64.210.243.28:80
Jun 13 10:47:17 ... 192.168.44.4:1260 64.210.243.28:80
Jun 13 10:47:17 ... 192.168.44.4:1261 64.210.243.28:80
Jun 13 10:47:23 ... 192.168.44.4:1261 64.210.243.28:80
Jun 13 10:47:23 ... 192.168.44.4:1260 64.210.243.28:80

- - - - - - - - -

Strange!

Any ideas?

TIA!

Rick

>
> On Fri, 2003-06-13 at 12:21, Rick Matthews wrote:
> > I have a Windows XP box running IE 6.0.2800 and it is configured to
> > use my squid proxy at 192.168.44.1:3128. Everything appears to work
> > fine from a user perspective.
> >
> > I am blocking outbound port 80 at my firewall and whenever this PC
> > is in use I see blocked port 80 attempts. I spent about 15 minutes
> > this morning doing general browsing on that PC, and then checked the
> > firewall log. I was surprised to find a large number of port 80
> > entries. There were only about 12 ip addresses, but all of them
> > had multiple entries (50+).
> >
> > I looked in squid's access.log and quickly found 4 or 5 of the
> > ip addresses listed for sites that I visited. Is it possible
> > that while trying to load a page, IE would send most of the links
> > using the proxy and send a few of them via port 80? That's how it
> > looks to me. While I was browsing I did not notice red "x's" or
> > other indications that items had not been loaded. Maybe it
> > tried direct and then fell back to the proxy? (I'm not using
> > a proxy.pac file; the proxy address and port has been entered.)
> >
> > I had tcpdump running at the time (looking for something else)
> > so I have the requests captured, but looking at them doesn't
> > do anything for me.
> >
> > As I was researching this I found that my squid version (2.4.STABLE6)
> > is a little dated; could that have anything to do with this issue?
> >
> > Thanks in advance for your help!
> >
> > Rick
>
Received on Fri Jun 13 2003 - 21:47:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:22 MST