+ Post New Thread
Results 1 to 6 of 6
*nix Thread, Strange Squid behaviour in Technical; Hi All, Wondering if anyone had any insight into the following error/quirk, as google doesn't provide a suitable answer as ...
  1. #1
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30

    Strange Squid behaviour

    Hi All,

    Wondering if anyone had any insight into the following error/quirk, as google doesn't provide a suitable answer as the question is obscure.

    When reading logs, or using "sarg" to process a log into statistics, it always shows traffic for 192.168.0.0 (which is the acl defined as internal lan), all traffic is denied, however it then does as should report per username (ntlm_auth -- single-sign-on)

    Now, I have searched google and found nothing, but EVERY request a user makes i.e.

    Code:
    192.168.0.0 d www.google.com
    192.168.0.0 d www.google.co.uk
    k.bridson 1 www.google.com
    k.bridson 1 www.google.co.uk
    Implying that localhost or some obscure call makes the first request, is than denied, and then the user requests and recieves content.

    "The above is show through SquidView, to monitor traffic, and every occurance of 192.168.0.0 has denied access. Yesterdays usage was around 900mb, but the line only has 5-7 trial members testing it, and 192.168.0.0 pulled almost 140mb data, I would like to hope its not repeating the data, as thats unnecessary data fetching"

    Anyone have any ideas?

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    This is normal behaviour. NTLM is a challange/response protocol. As a result of the negotiation process between the client browser and the proxy several deny lines will be logged before they finally agree and the request succeeds.

  3. #3

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    I think that this is generally what you expect to see in proxy logs (and web logs).

    Basically, when you go to get a web page, your browser doesn't know that it needs to authenticate so it asks the proxy anonymously for Google etc. The proxy then says "I need authentication to do this" and so the browser then re-submits the request with credentials.

    What you generally see is that the first request is duplicated like that; subsequent requests during the same browser session don't need re-authentication.

    You can watch the exchange with Wireshark if you want to know more of the gory details :-)

  4. #4
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    30
    I see, as explained above. Very interesting indeed, never noticed it last time the machine was around.

    So, I'm too guess that at a default theres going to be extra bandwidth used, when using ntlm_auth and theres not much todo about it, I suppose the fact that its only a request rather than a full page load is a bit easier.

    I always assumed, browser request > squid (auth yes|no) > auth yes request page.

  5. #5


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    I think you will find that it is "ghost" bandwidth, logged but not downloaded. I can ask one of our developers though, they may know. Or Geoff will ;-P

  6. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    It is a tiny amount of data - the actual amount of "waste" if you like is little more than the length of the URL (that's the bit which gets duplicated).

    When you look at all the other stuff going on on a network, it's not really causing much congestion :-)

SHARE:
+ Post New Thread

Similar Threads

  1. strange keyboard behaviour
    By RabbieBurns in forum Windows
    Replies: 14
    Last Post: 14th May 2008, 05:39 PM
  2. Behaviour Reporting
    By TechMonkey in forum How do you do....it?
    Replies: 8
    Last Post: 8th February 2008, 07:53 PM
  3. Pupils Behaviour!
    By mmoseley in forum General Chat
    Replies: 41
    Last Post: 1st June 2007, 03:39 PM
  4. Default behaviour of iTunes ?
    By tosca925 in forum How do you do....it?
    Replies: 6
    Last Post: 15th May 2007, 01:31 PM
  5. use.com displaying wierd behaviour
    By indie in forum Windows
    Replies: 6
    Last Post: 20th September 2006, 03:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •