Weird ‘hex’ (?) IP addresses in Apache access logs

Okay, I finally caught two more:

\xa0\x14\x84>\xcd\x7f - - [18/Oct/2020:08:39:12 -0500] "GET / HTTP/1.1" 301 229
\xa0:\x03=\xcd\x7f - - [18/Oct/2020:08:39:12 -0500] "GET /robots.txt HTTP/1.1" 301 239

…but I don't see anything that correlates (time base concorded):

08:39:11.831619	fe80::211:32ff:feb1:75b9	iGib.local	ICMPv6	78	Neighbor Advertisement fe80::211:32ff:feb1:75b9 (rtr, sol)
08:39:12.066005	Michaels-iPad.local	224.0.0.251	MDNS	723	Standard query response 0x0000 TXT, cache flush PTR _companion-link._tcp.local PTR Michael's iPad._companion-link._tcp.local TXT SRV, cache flush 0 0 49174 Michaels-iPad.local PTR, cache flush Michaels-iPad.local PTR, cache flush Michaels-iPad.local PTR, cache flush Michaels-iPad.local AAAA, cache flush fe80::1819:b9aa:e8e7:2999 AAAA, cache flush 2600:6c58:4200:45af:14c3:f80:9bba:29ce A, cache flush 192.168.1.17 NSEC, cache flush Michael's iPad._companion-link._tcp.local NSEC, cache flush 9.9.9.2.7.E.8.E.A.A.9.B.9.1.8.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa NSEC, cache flush E.C.9.2.A.B.B.9.0.8.F.0.3.C.4.1.F.A.5.4.0.0.2.4.8.5.C.6.0.0.6.2.ip6.arpa NSEC, cache flush 17.1.168.192.in-addr.arpa NSEC, cache flush Michaels-iPad.local OPT
08:39:12.066411	Michaels-iPad.local	ff02::fb	MDNS	743	Standard query response 0x0000 TXT, cache flush PTR _companion-link._tcp.local PTR Michael's iPad._companion-link._tcp.local TXT SRV, cache flush 0 0 49174 Michaels-iPad.local PTR, cache flush Michaels-iPad.local PTR, cache flush Michaels-iPad.local PTR, cache flush Michaels-iPad.local AAAA, cache flush fe80::1819:b9aa:e8e7:2999 AAAA, cache flush 2600:6c58:4200:45af:14c3:f80:9bba:29ce A, cache flush 192.168.1.17 NSEC, cache flush Michael's iPad._companion-link._tcp.local NSEC, cache flush 9.9.9.2.7.E.8.E.A.A.9.B.9.1.8.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa NSEC, cache flush E.C.9.2.A.B.B.9.0.8.F.0.3.C.4.1.F.A.5.4.0.0.2.4.8.5.C.6.0.0.6.2.ip6.arpa NSEC, cache flush 17.1.168.192.in-addr.arpa NSEC, cache flush Michaels-iPad.local OPT
08:39:12.551397	SynologyRouter.local	Broadcast	ARP	60	Who has 192.168.1.96? Tell 192.168.1.1
08:39:12.633299	a2:40:a0:70:71:1e	Spanning-tree-(for-bridges)_00	STP	60	Conf. Root = 32768/0/a0:40:a0:70:71:1e  Cost = 0  Port = 0x8003
08:39:13.006196	iGib.local	80.80.81.81	DNS	86	Standard query 0x685e PTR 37.149.70.212.in-addr.arpa

It appears that Wireshark has not caught any incoming connections from the WAN during that second (nor the entire second preceding nor following). What am I missing—or what is Apache missing?! Any insight?!

2 Likes

Any chance that it's some kind of local socket connection or something weird like that?

3 Likes

Absolutely! At this point, anything's possible; outside-the-box thinking is needed. But shouldn't Wireshark capture such connections?

2 Likes

Apache is trying to resolve each IP to a name.
Thus the unknown IPs - they are rDNS entries.

Like here is an extremely fun rDNS to look at (at least it made me laugh): 82.222.227.52

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62010

Uh-huh, very funny :wink:

3 Likes

Devil's advocate here: there are indeed two such entries in the :12 second. But why would they tickle Apache? Is there any sign that they are HTTP protocol, or that they are coming into ports 80 or 443?

The similar one in the :13 second in any case does not show up at all…?!

2 Likes

I may have misread that output as if it was coming from Apache.
But the conclusion seems to hold water.
If Apache is trying to show the rDNS entry for the IP, then what you are seeing can be anything at all.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes

Interesting…the devices mentioned were not in active use at the time, and were in any case not attempting to connect to the website. Why and how would Apache try to show an rDNS lookup?

1 Like

Therein lies the problem.
It would seem that the default config is not so default then.
The how should be via: HostnameLookups
But there are other ways/reasons that it would do such things.
It is after all Apache.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes

Well, whatever causes these weird characters, Wireshark apparently isn't seeing it. This entry appears in this morning's access log:

\xa0\xb6\x01-\xcd\x7f - - [19/Oct/2020:07:36:40 -0500] "GET /robots.txt HTTP/1.1" 301 239

The only entries stop 32 seconds earlier, at 08:36:04, and they involve IP address 104.153.234.13, whois Backblaze (i.e., my backup). During the 08:36:40 second, there's not a single entry. But similar entries have been running all night, back to at least 06:45 when this piece of capture began. They start again a minute and 19 seconds later, at 07:37:59 (times conformed; these capture items are consecutive):

Time Source Destingation Protocol Length Info
07:36:04.783037 104.153.234.13 iGib.local TCP 66 443 → 54817 [ACK] Seq=1 Ack=55025 Win=1890 Len=0 TSval=1594131090 TSecr=2317809221
07:36:04.783085 iGib.local 104.153.234.13 SSL 1514 Continuation Data
07:37:59.163434 104.153.234.53 iGib.local TCP 66 443 → 54921 [ACK] Seq=1 Ack=1 Win=2079 Len=0 TSval=492129469 TSecr=2317909936

But my Backblaze backup runs continuously, so it's hard to imagine that it causes this, although I also am puzzled as to why it seems to call in to port 443 (maybe in response to an outgoing connection?), and why would Backblaze want my robots.txt??!! Any further insight?

1 Like

I'm starting to think that you are running WireShark on a different system than the one with the Apache logs / weird hex entries.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

1 Like

Definitely the same machine (no VMs).

1 Like

I turned off wi-fi on my phone and connected via cellular. Here's what a legitimate connection looks like in the access log:

172.56.20.113 - - [19/Oct/2020:15:50:01 -0500] "GET /lettersfromitaly/071230.html HTTP/1.1" 200 7304

And here's how it appears in Wireshark (subtract 5 hours); it's kinda chatty, and goes on for another 2 seconds:

Time Source Destination Protocol Length Info
20:50:01.011001 172.56.20.113 192.168.1.2 TCP 66 49587 → 443 [ACK] Seq=611 Ack=3002 Win=130944 Len=0 TSval=1932195075 TSecr=2344665897
20:50:01.014160 172.56.20.113 192.168.1.2 TLSv1.2 511 Application Data
20:50:01.014182 192.168.1.2 172.56.20.113 TCP 66 443 → 49587 [ACK] Seq=3002 Ack=1056 Win=130624 Len=0 TSval=2344665996 TSecr=1932195076
20:50:01.035526 192.168.1.2 172.56.20.113 TLSv1.2 1434 Application Data
20:50:01.035527 192.168.1.2 172.56.20.113 TCP 1434 443 → 49587 [ACK] Seq=4370 Ack=1056 Win=131072 Len=1368 TSval=2344666017 TSecr=1932195076 [TCP segment of a reassembled PDU]
20:50:01.035527 192.168.1.2 172.56.20.113 TCP 1434 443 → 49587 [ACK] Seq=5738 Ack=1056 Win=131072 Len=1368 TSval=2344666017 TSecr=1932195076 [TCP segment of a reassembled PDU]
20:50:01.035528 192.168.1.2 172.56.20.113 TCP 1434 443 → 49587 [ACK] Seq=7106 Ack=1056 Win=131072 Len=1368 TSval=2344666017 TSecr=1932195076 [TCP segment of a reassembled PDU]
20:50:01.035528 192.168.1.2 172.56.20.113 TCP 1434 443 → 49587 [ACK] Seq=8474 Ack=1056 Win=131072 Len=1368 TSval=2344666017 TSecr=1932195076 [TCP segment of a reassembled PDU]
20:50:01.092379 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=518 Ack=95 Win=131712 Len=0 TSval=1931986320 TSecr=2344665989
20:50:01.094170 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=518 Ack=2831 Win=129024 Len=0 TSval=1931986323 TSecr=2344665992
20:50:01.094172 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=518 Ack=4199 Win=131072 Len=0 TSval=1931986326 TSecr=2344665992
20:50:01.094253 192.168.1.2 172.56.20.113 TLSv1.2 939 Certificate, Server Key Exchange, Server Hello Done
20:50:01.104082 172.56.20.113 192.168.1.2 TCP 66 49587 → 443 [ACK] Seq=1056 Ack=5738 Win=129664 Len=0 TSval=1932195201 TSecr=2344666017
20:50:01.104131 192.168.1.2 172.56.20.113 TLSv1.2 899 Application Data
20:50:01.112654 172.56.20.113 192.168.1.2 TCP 66 49587 → 443 [ACK] Seq=1056 Ack=9842 Win=128256 Len=0 TSval=1932195205 TSecr=2344666017
20:50:01.180247 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=518 Ack=5072 Win=130176 Len=0 TSval=1931986407 TSecr=2344666074
20:50:01.187786 172.56.20.113 192.168.1.2 TCP 66 49587 → 443 [ACK] Seq=1056 Ack=10675 Win=130176 Len=0 TSval=1932195270 TSecr=2344666083
20:50:01.194350 172.56.20.113 192.168.1.2 TLSv1.2 232 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
20:50:01.194385 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=5072 Ack=684 Win=130880 Len=0 TSval=2344666171 TSecr=1931986439
20:50:01.197346 192.168.1.2 172.56.20.113 TLSv1.2 72 Change Cipher Spec
20:50:01.271759 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=684 Ack=5078 Win=130944 Len=0 TSval=1931986497 TSecr=2344666173
20:50:01.271830 192.168.1.2 172.56.20.113 TLSv1.2 268 Encrypted Handshake Message, Application Data
20:50:01.278480 172.56.20.113 192.168.1.2 TCP 78 18575 → 443 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1380 WS=128 TSval=1932194877 TSecr=0 SACK_PERM=1
20:50:01.278811 192.168.1.2 172.56.20.113 TCP 78 443 → 18575 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=64 TSval=2344666252 TSecr=1932194877 SACK_PERM=1
20:50:01.344242 172.56.20.113 192.168.1.2 TCP 66 18575 → 443 [ACK] Seq=1 Ack=1 Win=131840 Len=0 TSval=1932194962 TSecr=2344666252
20:50:01.344323 192.168.1.2 172.56.20.113 TCP 66 [TCP Window Update] 443 → 18575 [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSval=2344666317 TSecr=1932194962
20:50:01.360451 172.56.20.113 192.168.1.2 TLSv1.2 583 Client Hello
20:50:01.360452 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=684 Ack=5280 Win=130816 Len=0 TSval=1931986574 TSecr=2344666246
20:50:01.360581 192.168.1.2 172.56.20.113 TCP 66 443 → 18575 [ACK] Seq=1 Ack=518 Win=130752 Len=0 TSval=2344666332 TSecr=1932194962
20:50:01.360686 172.56.20.113 192.168.1.2 TLSv1.2 135 Application Data
20:50:01.360734 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=5280 Ack=753 Win=130944 Len=0 TSval=2344666332 TSecr=1931986575
20:50:01.360842 192.168.1.2 172.56.20.113 TLSv1.2 423 Application Data
20:50:01.362769 192.168.1.2 172.56.20.113 TLSv1.2 1434 Server Hello
20:50:01.362769 192.168.1.2 172.56.20.113 TLSv1.2 1434 Certificate [TCP segment of a reassembled PDU]
20:50:01.362770 192.168.1.2 172.56.20.113 TLSv1.2 280 Server Key Exchange, Server Hello Done
20:50:01.413246 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=753 Ack=5637 Win=130688 Len=0 TSval=1931986645 TSecr=2344666332
20:50:01.413247 172.56.20.113 192.168.1.2 TCP 66 [TCP Dup ACK 27109#1] 56077 → 993 [ACK] Seq=753 Ack=5637 Win=130688 Len=0 TSval=1931986645 TSecr=2344666332
20:50:01.435509 172.56.20.113 192.168.1.2 TCP 66 18575 → 443 [ACK] Seq=518 Ack=2737 Win=129024 Len=0 TSval=1932195046 TSecr=2344666334
20:50:01.435511 172.56.20.113 192.168.1.2 TLSv1.2 151 Application Data
20:50:01.435574 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=5637 Ack=838 Win=130944 Len=0 TSval=2344666405 TSecr=1931986645
20:50:01.435651 172.56.20.113 192.168.1.2 TCP 66 18575 → 443 [ACK] Seq=518 Ack=2951 Win=128896 Len=0 TSval=1932195046 TSecr=2344666334
20:50:01.435659 192.168.1.2 172.56.20.113 TLSv1.2 247 Application Data
20:50:01.436083 172.56.20.113 192.168.1.2 TLSv1.2 159 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
20:50:01.436120 192.168.1.2 172.56.20.113 TCP 66 443 → 18575 [ACK] Seq=2951 Ack=611 Win=130944 Len=0 TSval=2344666405 TSecr=1932195054
20:50:01.436417 192.168.1.2 172.56.20.113 TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message
20:50:01.501365 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=838 Ack=5818 Win=130816 Len=0 TSval=1931986716 TSecr=2344666405
20:50:01.510305 172.56.20.113 192.168.1.2 TCP 66 18575 → 443 [ACK] Seq=611 Ack=3002 Win=130944 Len=0 TSval=1932195115 TSecr=2344666405
20:50:01.510465 172.56.20.113 192.168.1.2 TLSv1.2 391 Application Data
20:50:01.510506 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=5818 Ack=1163 Win=130688 Len=0 TSval=2344666478 TSecr=1931986717
20:50:01.510748 192.168.1.2 172.56.20.113 TLSv1.2 183 Application Data
20:50:01.513945 172.56.20.113 192.168.1.2 TLSv1.2 412 Application Data
20:50:01.514020 192.168.1.2 172.56.20.113 TCP 66 443 → 18575 [ACK] Seq=3002 Ack=957 Win=130688 Len=0 TSval=2344666481 TSecr=1932195117
20:50:01.514585 192.168.1.2 172.56.20.113 TLSv1.2 532 Application Data
20:50:01.572254 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=1163 Ack=5935 Win=130944 Len=0 TSval=1931986787 TSecr=2344666478
20:50:01.595181 172.56.20.113 192.168.1.2 TCP 66 [TCP Dup ACK 27129#1] 56077 → 993 [ACK] Seq=1163 Ack=5935 Win=130944 Len=0 TSval=1931986787 TSecr=2344666478
20:50:01.595183 172.56.20.113 192.168.1.2 TLSv1.2 135 Application Data
20:50:01.595219 172.56.20.113 192.168.1.2 TCP 66 18575 → 443 [ACK] Seq=957 Ack=3468 Win=130560 Len=0 TSval=1932195189 TSecr=2344666481
20:50:01.595346 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=5935 Ack=1232 Win=130944 Len=0 TSval=2344666561 TSecr=1931986787
20:50:01.595461 192.168.1.2 172.56.20.113 TLSv1.2 151 Application Data
20:50:01.664392 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=1232 Ack=6020 Win=130944 Len=0 TSval=1931986868 TSecr=2344666561
20:50:01.664393 172.56.20.113 192.168.1.2 TCP 66 [TCP Dup ACK 27136#1] 56077 → 993 [ACK] Seq=1232 Ack=6020 Win=130944 Len=0 TSval=1931986868 TSecr=2344666561
20:50:01.674054 172.56.20.113 192.168.1.2 TLSv1.2 135 Application Data
20:50:01.674100 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=6020 Ack=1301 Win=130944 Len=0 TSval=2344666638 TSecr=1931986869
20:50:01.674176 192.168.1.2 172.56.20.113 TLSv1.2 423 Application Data
20:50:01.761370 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=1301 Ack=6377 Win=130688 Len=0 TSval=1931986954 TSecr=2344666638
20:50:01.767114 172.56.20.113 192.168.1.2 TLSv1.2 215 Application Data
20:50:01.767154 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=6377 Ack=1450 Win=130880 Len=0 TSval=2344666729 TSecr=1931986955
20:50:01.767217 192.168.1.2 172.56.20.113 TLSv1.2 279 Application Data
20:50:01.839372 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=1450 Ack=6590 Win=130816 Len=0 TSval=1931987029 TSecr=2344666729
20:50:01.842831 172.56.20.113 192.168.1.2 TLSv1.2 167 Application Data
20:50:01.842919 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=6590 Ack=1551 Win=130944 Len=0 TSval=2344666803 TSecr=1931987030
20:50:01.844760 192.168.1.2 172.56.20.113 TCP 1434 993 → 56077 [ACK] Seq=6590 Ack=1551 Win=131072 Len=1368 TSval=2344666804 TSecr=1931987030 [TCP segment of a reassembled PDU]
20:50:01.844760 192.168.1.2 172.56.20.113 TCP 1434 993 → 56077 [ACK] Seq=7958 Ack=1551 Win=131072 Len=1368 TSval=2344666804 TSecr=1931987030 [TCP segment of a reassembled PDU]
20:50:01.844760 192.168.1.2 172.56.20.113 TLSv1.2 1431 Application Data
20:50:01.932911 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=1551 Ack=9326 Win=128256 Len=0 TSval=1931987118 TSecr=2344666804
20:50:01.948760 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=1551 Ack=10691 Win=129664 Len=0 TSval=1931987137 TSecr=2344666804
20:50:01.964047 172.56.20.113 192.168.1.2 TLSv1.2 1127 Application Data
20:50:01.964143 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=10691 Ack=2612 Win=129984 Len=0 TSval=2344666922 TSecr=1931987143
20:50:01.964296 192.168.1.2 172.56.20.113 TLSv1.2 167 Application Data
20:50:01.966758 192.168.1.2 172.56.20.113 TLSv1.2 1434 Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data
20:50:01.966759 192.168.1.2 172.56.20.113 TLSv1.2 139 Application Data
20:50:01.968361 192.168.1.2 172.56.20.113 TLSv1.2 1434 Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data
20:50:01.968362 192.168.1.2 172.56.20.113 TLSv1.2 102 Application Data
20:50:02.032382 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=2612 Ack=10792 Win=130944 Len=0 TSval=1931987224 TSecr=2344666922
20:50:02.033338 172.56.20.113 192.168.1.2 TCP 66 [TCP Dup ACK 27163#1] 56077 → 993 [ACK] Seq=2612 Ack=10792 Win=130944 Len=0 TSval=1931987224 TSecr=2344666922
20:50:02.035626 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=2612 Ack=12233 Win=129536 Len=0 TSval=1931987237 TSecr=2344666924
20:50:02.044253 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=2612 Ack=13637 Win=129664 Len=0 TSval=1931987241 TSecr=2344666926
20:50:02.044328 192.168.1.2 172.56.20.113 TLSv1.2 582 Application Data, Application Data, Application Data, Application Data
20:50:02.131410 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=2612 Ack=14153 Win=130432 Len=0 TSval=1931987316 TSecr=2344667000
20:50:02.140538 172.56.20.113 192.168.1.2 TCP 1454 56077 → 993 [ACK] Seq=2612 Ack=14153 Win=131072 Len=1388 TSval=1931987320 TSecr=2344667000 [TCP segment of a reassembled PDU]
20:50:02.140539 172.56.20.113 192.168.1.2 TLSv1.2 507 Application Data
20:50:02.140690 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=14153 Ack=4441 Win=129216 Len=0 TSval=2344667096 TSecr=1931987320
20:50:02.141068 192.168.1.2 172.56.20.113 TLSv1.2 199 Application Data
20:50:02.142379 192.168.1.2 172.56.20.113 TLSv1.2 1434 Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data
20:50:02.142379 192.168.1.2 172.56.20.113 TLSv1.2 140 Application Data
20:50:02.143648 192.168.1.2 172.56.20.113 TLSv1.2 1434 Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data
20:50:02.143648 192.168.1.2 172.56.20.113 TLSv1.2 134 Application Data
20:50:02.144609 192.168.1.2 172.56.20.113 TLSv1.2 1434 Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data, Application Data
20:50:02.144609 192.168.1.2 172.56.20.113 TLSv1.2 145 Application Data
20:50:02.204908 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=4441 Ack=14286 Win=130816 Len=0 TSval=1931987394 TSecr=2344667096
20:50:02.204909 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=4441 Ack=15728 Win=129536 Len=0 TSval=1931987401 TSecr=2344667097
20:50:02.205025 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=4441 Ack=17164 Win=128128 Len=0 TSval=1931987401 TSecr=2344667098
20:50:02.207526 172.56.20.113 192.168.1.2 TCP 66 [TCP Window Update] 56077 → 993 [ACK] Seq=4441 Ack=17164 Win=131072 Len=0 TSval=1931987401 TSecr=2344667098
20:50:02.232051 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=4441 Ack=18611 Win=129536 Len=0 TSval=1931987408 TSecr=2344667099
20:50:02.247489 172.56.20.113 192.168.1.2 TLSv1.2 151 Application Data
20:50:02.247592 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=18611 Ack=4526 Win=130944 Len=0 TSval=2344667200 TSecr=1931987411
20:50:02.247767 192.168.1.2 172.56.20.113 TLSv1.2 567 Application Data
20:50:02.335200 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=4526 Ack=19112 Win=130560 Len=0 TSval=1931987495 TSecr=2344667200
20:50:02.341657 172.56.20.113 192.168.1.2 TLSv1.2 167 Application Data
20:50:02.341713 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=19112 Ack=4627 Win=130944 Len=0 TSval=2344667293 TSecr=1931987518
20:50:02.341859 192.168.1.2 172.56.20.113 TLSv1.2 391 Application Data
20:50:02.422182 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=4627 Ack=19437 Win=130688 Len=0 TSval=1931987586 TSecr=2344667293
20:50:02.423803 172.56.20.113 192.168.1.2 TLSv1.2 359 Application Data
20:50:02.423891 192.168.1.2 172.56.20.113 TCP 66 993 → 56077 [ACK] Seq=19437 Ack=4920 Win=130752 Len=0 TSval=2344667374 TSecr=1931987591
20:50:02.424117 192.168.1.2 172.56.20.113 TCP 1434 993 → 56077 [ACK] Seq=19437 Ack=4920 Win=131072 Len=1368 TSval=2344667374 TSecr=1931987591 [TCP segment of a reassembled PDU]
20:50:02.424118 192.168.1.2 172.56.20.113 TLSv1.2 143 Application Data
20:50:02.495047 172.56.20.113 192.168.1.2 TCP 66 56077 → 993 [ACK] Seq=4920 Ack=20882 Win=129536 Len=0 TSval=1931987669 TSecr=2344667374
20:50:02.605224 172.56.20.113 192.168.1.2 TLSv1.2 97 Encrypted Alert
20:50:02.605316 192.168.1.2 172.56.20.113 TCP 66 443 → 18575 [ACK] Seq=3468 Ack=988 Win=131008 Len=0 TSval=2344667553 TSecr=1932196208
20:50:02.605451 192.168.1.2 172.56.20.113 TLSv1.2 97 Encrypted Alert
20:50:02.605452 192.168.1.2 172.56.20.113 TCP 66 443 → 18575 [FIN, ACK] Seq=3499 Ack=988 Win=131072 Len=0 TSval=2344667553 TSecr=1932196208
20:50:02.610616 172.56.20.113 192.168.1.2 TCP 66 18575 → 443 [FIN, ACK] Seq=988 Ack=3468 Win=131072 Len=0 TSval=1932196208 TSecr=2344666481
20:50:02.610683 192.168.1.2 172.56.20.113 TCP 66 [TCP Out-Of-Order] 443 → 18575 [FIN, ACK] Seq=3499 Ack=989 Win=131072 Len=0 TSval=2344667558 TSecr=1932196208
20:50:02.663499 172.56.20.113 192.168.1.2 TCP 78 [TCP Out-Of-Order] 18575 → 443 [FIN, ACK] Seq=988 Ack=3468 Win=131072 Len=0 TSval=1932196281 TSecr=2344667553 SLE=3499 SRE=3500
20:50:02.663600 192.168.1.2 172.56.20.113 TCP 97 [TCP Out-Of-Order] 443 → 18575 [FIN, PSH, ACK] Seq=3468 Ack=989 Win=131072 Len=31 TSval=2344667609 TSecr=1932196208
20:50:02.670697 172.56.20.113 192.168.1.2 TCP 78 [TCP Out-Of-Order] 18575 → 443 [FIN, ACK] Seq=988 Ack=3468 Win=131072 Len=0 TSval=1932196281 TSecr=2344667553 SLE=3499 SRE=3500
20:50:02.670767 192.168.1.2 172.56.20.113 TCP 66 [TCP Out-Of-Order] 443 → 18575 [FIN, ACK] Seq=3499 Ack=989 Win=131072 Len=0 TSval=2344667616 TSecr=1932196208
20:50:02.671005 172.56.20.113 192.168.1.2 TCP 60 18575 → 443 [RST] Seq=988 Win=0 Len=0
20:50:02.726290 172.56.20.113 192.168.1.2 TCP 60 18575 → 443 [RST] Seq=989 Win=0 Len=0
20:50:02.741256 172.56.20.113 192.168.1.2 TCP 60 18575 → 443 [RST] Seq=989 Win=0 Len=0
20:50:03.134048 172.56.20.113 192.168.1.2 TLSv1.2 97 Encrypted Alert
20:50:03.134150 192.168.1.2 172.56.20.113 TCP 66 443 → 49587 [ACK] Seq=10675 Ack=1087 Win=131008 Len=0 TSval=2344668076 TSecr=1932197229
20:50:03.134294 192.168.1.2 172.56.20.113 TLSv1.2 97 Encrypted Alert
20:50:03.134294 192.168.1.2 172.56.20.113 TCP 66 443 → 49587 [FIN, ACK] Seq=10706 Ack=1087 Win=131072 Len=0 TSval=2344668076 TSecr=1932197229
20:50:03.149258 172.56.20.113 192.168.1.2 TCP 66 49587 → 443 [FIN, ACK] Seq=1087 Ack=10675 Win=131072 Len=0 TSval=1932197229 TSecr=2344666083
20:50:03.149328 192.168.1.2 172.56.20.113 TCP 66 [TCP Out-Of-Order] 443 → 49587 [FIN, ACK] Seq=10706 Ack=1088 Win=131072 Len=0 TSval=2344668091 TSecr=1932197229
20:50:03.208355 172.56.20.113 192.168.1.2 TCP 60 49587 → 443 [RST] Seq=1087 Win=0 Len=0
20:50:03.208356 172.56.20.113 192.168.1.2 TCP 60 49587 → 443 [RST] Seq=1087 Win=0 Len=0
20:50:03.208357 172.56.20.113 192.168.1.2 TCP 60 49587 → 443 [RST] Seq=1087 Win=0 Len=0
20:50:03.238694 172.56.20.113 192.168.1.2 TCP 60 49587 → 443 [RST] Seq=1088 Win=0 Len=0
1 Like

Does Wireshark listen on all interfaces? I agree that whatever weird traffic Apache is seeing isn't on whatever interface Wireshark is monitoring.

2 Likes

Well, the router forwards ports 80 and 443 to the machine's fixed (not DHCP) en0 (wired Ethernet) LAN address. The machine also has a wifi connection, but…um, well, I'm not sure why! I don't think anything uses it. I can try turning it off, but I really don't think anyone can dial into it except from my LAN.

Oh, and Wireshark is only listening on en0.

1 Like

So if Wireshark is listening on en0 and not picking up the traffic that corresponds to the weird Apache logs, can you try running it on other interfaces and seeing if it picks up the traffic there? Some kind of local interface, or Unix socket, or something along those lines would be my best guess at this point. How you get random robots.txt requests from the Internet through one of those I couldn't tell you, though.

1 Like

I have these choices of interface. The wifi is pretty quiet but not silent; the rest are silent, except of course for loopback. And in fact the wifi is all broadcast stuff.

2 Likes