RE: [squid-users] Windows XP inconsistent on proxy use?

Fri, 13 Jun 2003 20:48:08 -0700 

Stephen J. McCracken wrote:
> 
> Are you sure that it's IE 6 trying port 80 or might it be some other
> little program on the machine that ignores proxy settings? (e.g. 
> spyware program/windows update/messenger/etc)

The box is clean, no spyware.

Here's a better explanation of what I am seeing:

In my surfing I went to www.drudgereport.com. The following was
directed to the proxy at port 3128 and it appears in squid's 
access.log:

Jun 13 10:39:31 2003    563 192.168.44.4 \
   TCP_REFRESH_MISS/200 27196 GET \
   http://www.drudgereport.com/ \
   Rick DIRECT/66.28.209.210 text/html
Jun 13 10:39:31 2003     31 192.168.44.4 (trimmed)
Jun 13 10:39:31 2003     18 192.168.44.4
Jun 13 10:39:31 2003    126 192.168.44.4
Jun 13 10:39:32 2003    138 192.168.44.4
Jun 13 10:39:32 2003    363 192.168.44.4
Jun 13 10:39:32 2003    250 192.168.44.4
Jun 13 10:39:32 2003    449 192.168.44.4
Jun 13 10:39:32 2003    720 192.168.44.4

During the same time period I see the following port 80 attempts 
blocked and logged by the firewall:

Jun 13 10:39:31 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
   192.168.44.4:1209 66.28.209.210:80... SYN
Jun 13 10:39:31 ... 192.168.44.4:1211 66.28.209.210:80 (trimmed)
Jun 13 10:39:34 ... 192.168.44.4:1209 66.28.209.210:80
Jun 13 10:39:34 ... 192.168.44.4:1211 66.28.209.210:80
Jun 13 10:39:40 ... 192.168.44.4:1211 66.28.209.210:80
Jun 13 10:39:40 ... 192.168.44.4:1209 66.28.209.210:80
Jun 13 10:39:54 ... 192.168.44.4:1215 66.28.209.210:80
Jun 13 10:39:57 ... 192.168.44.4:1215 66.28.209.210:80
Jun 13 10:40:03 ... 192.168.44.4:1215 66.28.209.210:80

- - - - - - - - - 

I read a news story at www.timesonline.co.uk. The following was
directed to the proxy at port 3128 and it appears in squid's 
access.log:

Jun 13 10:42:49 2003    894 192.168.44.4 \
   TCP_MISS/200 26061 GET \
   http://www.timesonline.co.uk/article/0,,1-712552,00.html \
   Rick DIRECT/143.252.78.23 text/html
Jun 13 10:42:50 2003     19 192.168.44.4 (trimmed)
Jun 13 10:42:50 2003    868 192.168.44.4
Jun 13 10:42:51 2003    474 192.168.44.4
Jun 13 10:42:51 2003    449 192.168.44.4
Jun 13 10:42:51 2003    386 192.168.44.4
Jun 13 10:42:51 2003    437 192.168.44.4
Jun 13 10:42:51 2003     49 192.168.44.4
Jun 13 10:42:51 2003    348 192.168.44.4
Jun 13 10:42:56 2003     28 192.168.44.4
Jun 13 10:42:56 2003     42 192.168.44.4

During the same time period I see the following port 80 attempts 
blocked and logged by the firewall:

Jun 13 10:42:49 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
   192.168.44.4:1222 143.252.78.23:80... SYN
Jun 13 10:42:52 ... 192.168.44.4:1222 143.252.78.23:80 (trimmed)
Jun 13 10:42:58 ... 192.168.44.4:1222 143.252.78.23:80

- - - - - - - - - 

I read a news story at www.startribune.com. The following was
directed to the proxy at port 3128 and it appears in squid's 
access.log:

Jun 13 10:44:27 2003    499 192.168.44.4 \
   TCP_MISS/200 27638 GET \
   http://www.startribune.com/stories/484/3934421.html \
   Rick DIRECT/132.148.87.30 text/html
Jun 13 10:44:27 2003    190 192.168.44.4 (trimmed)
Jun 13 10:44:27 2003    306 192.168.44.4
Jun 13 10:44:27 2003    161 192.168.44.4
Jun 13 10:44:27 2003     17 192.168.44.4
Jun 13 10:44:28 2003    303 192.168.44.4
Jun 13 10:44:28 2003    269 192.168.44.4
Jun 13 10:44:28 2003    389 192.168.44.4
Jun 13 10:44:28 2003    550 192.168.44.4
Jun 13 10:44:28 2003    301 192.168.44.4
Jun 13 10:44:28 2003    185 192.168.44.4
Jun 13 10:44:28 2003    218 192.168.44.4
Jun 13 10:44:28 2003    343 192.168.44.4
Jun 13 10:44:29 2003    255 192.168.44.4
Jun 13 10:44:29 2003    268 192.168.44.4
Jun 13 10:44:29 2003    212 192.168.44.4
Jun 13 10:44:29 2003    276 192.168.44.4
Jun 13 10:44:29 2003    276 192.168.44.4
Jun 13 10:44:29 2003    211 192.168.44.4
Jun 13 10:44:29 2003    325 192.168.44.4
Jun 13 10:44:29 2003    366 192.168.44.4
Jun 13 10:44:29 2003    416 192.168.44.4

During the same time period I see the following port 80 attempts 
blocked and logged by the firewall:

Jun 13 10:44:27 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
   192.168.44.4:1233 132.148.87.32:80... SYN
Jun 13 10:44:27 ... 192.168.44.4:1234 132.148.87.32:80 (trimmed)
Jun 13 10:44:30 ... 192.168.44.4:1233 132.148.87.32:80
Jun 13 10:44:30 ... 192.168.44.4:1234 132.148.87.32:80
Jun 13 10:44:35 ... 192.168.44.4:1234 132.148.87.32:80
Jun 13 10:44:35 ... 192.168.44.4:1233 132.148.87.32:80
Jun 13 10:44:47 ... 192.168.44.4:1237 132.148.87.32:80
Jun 13 10:44:47 ... 192.168.44.4:1238 132.148.87.32:80
Jun 13 10:44:50 ... 192.168.44.4:1237 132.148.87.32:80
Jun 13 10:44:50 ... 192.168.44.4:1238 132.148.87.32:80
Jun 13 10:44:57 ... 192.168.44.4:1238 132.148.87.32:80
Jun 13 10:44:57 ... 192.168.44.4:1237 132.148.87.32:80
Jun 13 10:45:08 ... 192.168.44.4:1243 132.148.87.32:80
Jun 13 10:45:08 ... 192.168.44.4:1244 132.148.87.32:80
Jun 13 10:45:11 ... 192.168.44.4:1243 132.148.87.32:80
Jun 13 10:45:11 ... 192.168.44.4:1244 132.148.87.32:80
Jun 13 10:45:17 ... 192.168.44.4:1244 132.148.87.32:80
Jun 13 10:45:17 ... 192.168.44.4:1243 132.148.87.32:80

- - - - - - - - - 

I read a news story at www.dailysentinel.com. The following was
directed to the proxy at port 3128 and it appears in squid's 
access.log:

Jun 13 10:45:07 2003    518 192.168.44.4 \
   TCP_MISS/200 12768 GET \
   http://www.dailysentinel.com/news/newsfd/auto/feed/news/2003/06/12\
   /1055468403.04889.1676.0222.html \
   Rick DIRECT/64.210.243.28 text/html
Jun 13 10:45:07 2003    313 192.168.44.4 (trimmed)
Jun 13 10:45:07 2003     22 192.168.44.4
Jun 13 10:45:08 2003    305 192.168.44.4
Jun 13 10:45:08 2003    317 192.168.44.4
Jun 13 10:45:08 2003    425 192.168.44.4
Jun 13 10:45:08 2003    222 192.168.44.4
Jun 13 10:45:08 2003    285 192.168.44.4
Jun 13 10:45:08 2003    305 192.168.44.4
Jun 13 10:45:08 2003    383 192.168.44.4
Jun 13 10:45:08 2003     32 192.168.44.4
Jun 13 10:45:08 2003    295 192.168.44.4
Jun 13 10:45:08 2003    235 192.168.44.4
Jun 13 10:45:08 2003    284 192.168.44.4
Jun 13 10:45:08 2003    248 192.168.44.4

During the same time period I see the following port 80 attempts 
blocked and logged by the firewall:

Jun 13 10:45:30 k5wls kernel: Packet log: input DENY eth1 PROTO=6 \
   192.168.44.4:1245 64.210.243.28:80... SYN
Jun 13 10:45:30 ... 192.168.44.4:1246 64.210.243.28:80 (trimmed)
Jun 13 10:45:33 ... 192.168.44.4:1245 64.210.243.28:80
Jun 13 10:45:33 ... 192.168.44.4:1246 64.210.243.28:80
Jun 13 10:45:38 ... 192.168.44.4:1246 64.210.243.28:80
Jun 13 10:45:38 ... 192.168.44.4:1245 64.210.243.28:80
Jun 13 10:45:50 ... 192.168.44.4:1247 64.210.243.28:80
Jun 13 10:45:50 ... 192.168.44.4:1248 64.210.243.28:80
Jun 13 10:45:53 ... 192.168.44.4:1247 64.210.243.28:80
Jun 13 10:45:53 ... 192.168.44.4:1248 64.210.243.28:80
Jun 13 10:46:00 ... 192.168.44.4:1247 64.210.243.28:80
Jun 13 10:46:11 ... 192.168.44.4:1249 64.210.243.28:80
Jun 13 10:46:11 ... 192.168.44.4:1250 64.210.243.28:80
Jun 13 10:46:14 ... 192.168.44.4:1249 64.210.243.28:80
Jun 13 10:46:14 ... 192.168.44.4:1250 64.210.243.28:80
Jun 13 10:46:20 ... 192.168.44.4:1250 64.210.243.28:80
Jun 13 10:46:20 ... 192.168.44.4:1249 64.210.243.28:80
Jun 13 10:46:33 ... 192.168.44.4:1251 64.210.243.28:80
Jun 13 10:46:33 ... 192.168.44.4:1252 64.210.243.28:80
Jun 13 10:46:36 ... 192.168.44.4:1251 64.210.243.28:80
Jun 13 10:46:36 ... 192.168.44.4:1252 64.210.243.28:80
Jun 13 10:46:41 ... 192.168.44.4:1252 64.210.243.28:80
Jun 13 10:46:41 ... 192.168.44.4:1251 64.210.243.28:80
Jun 13 10:46:53 ... 192.168.44.4:1253 64.210.243.28:80
Jun 13 10:46:53 ... 192.168.44.4:1254 64.210.243.28:80
Jun 13 10:46:56 ... 192.168.44.4:1253 64.210.243.28:80
Jun 13 10:46:56 ... 192.168.44.4:1254 64.210.243.28:80
Jun 13 10:47:03 ... 192.168.44.4:1254 64.210.243.28:80
Jun 13 10:47:03 ... 192.168.44.4:1253 64.210.243.28:80
Jun 13 10:47:14 ... 192.168.44.4:1260 64.210.243.28:80
Jun 13 10:47:14 ... 192.168.44.4:1261 64.210.243.28:80
Jun 13 10:47:17 ... 192.168.44.4:1260 64.210.243.28:80
Jun 13 10:47:17 ... 192.168.44.4:1261 64.210.243.28:80
Jun 13 10:47:23 ... 192.168.44.4:1261 64.210.243.28:80
Jun 13 10:47:23 ... 192.168.44.4:1260 64.210.243.28:80

- - - - - - - - - 

Strange!

Any ideas?

TIA!

Rick




> 
> On Fri, 2003-06-13 at 12:21, Rick Matthews wrote:
> > I have a Windows XP box running IE 6.0.2800 and it is configured to
> > use my squid proxy at 192.168.44.1:3128.  Everything appears to work 
> > fine from a user perspective.  
> > 
> > I am blocking outbound port 80 at my firewall and whenever this PC
> > is in use I see blocked port 80 attempts.  I spent about 15 minutes
> > this morning doing general browsing on that PC, and then checked the
> > firewall log.  I was surprised to find a large number of port 80
> > entries.  There were only about 12 ip addresses, but all of them
> > had multiple entries (50+).
> > 
> > I looked in squid's access.log and quickly found 4 or 5 of the
> > ip addresses listed for sites that I visited.  Is it possible
> > that while trying to load a page, IE would send most of the links
> > using the proxy and send a few of them via port 80?  That's how it
> > looks to me.  While I was browsing I did not notice red "x's" or
> > other indications that items had not been loaded.  Maybe it
> > tried direct and then fell back to the proxy?  (I'm not using
> > a proxy.pac file; the proxy address and port has been entered.)
> > 
> > I had tcpdump running at the time (looking for something else)
> > so I have the requests captured, but looking at them doesn't
> > do anything for me.
> > 
> > As I was researching this I found that my squid version (2.4.STABLE6)
> > is a little dated; could that have anything to do with this issue?
> > 
> > Thanks in advance for your help!
> > 
> > Rick
>

Reply via email to