Malformed HTTP Content-Type value from Apache-Coyote 1.1
Couple days ago, I was maintaining AppQoS appliances at customer site and noticed that one of our analysis tables from the HTTP module produced some strange results.
The table displays all the HTTP traffic in terms of media type (MIME) and transaction size in descending order. So that the network administrator can quickly notify which users have been abusing the network with video, audio or other binary streams. However, one traffic displayed with media type string ‘Content-Type: text’ instead of ‘text’ which the AppQoS HTTP module should have already parsed the string ‘Content-Type:’.
So I launched a browser with that link and captured the data. In Wireshark, it shows that the Content-Type field in the HTTP response packet is indeed malformed. The web server which produced the response protocol is Apache-Coyote/1.1.
Here is a wireshark screenshot of the malformed HTTP packet.