[squid-users] how debug google status codes in log file

[Amos Jeffries]

On 25/06/18 23:27, --Ahmad-- wrote:
> Hi Amos
> 
> thanks for the reply .
> 
> actually the sample i put is seems incorrect  im supposed to push the request as below :
> 
> 25/Jun/2018:12:22:16 +0100   4057 32.175.99.98 16993 188.157.235.133 2000 TCP_TUNNEL/200 224466 CONNECT www.google.com:443 dfrrew HIER_DIRECT/ www.google.com 2a00:1450:4009:815::2004 2406:a901:416f:bdd9:392:4b51:d110:c6b9
> 25/Jun/2018:12:22:17 +0100   3456 32.175.99.98 17317 188.157.235.133 2000 TCP_TUNNEL/200 211560 CONNECT www.google.com:443 dfrrew HIER_DIRECT/ www.google.com 2a00:1450:4009:815::2004 2406:a901:6963:b915:91dd:ac97:af6b:843e
> 25/Jun/2018:12:22:17 +0100   2351 32.175.99.98 17607 188.157.235.133 2000 TCP_TUNNEL/200 220144 CONNECT www.google.com:443 dfrrew HIER_DIRECT/ www.google.com 2a00:1450:4009:815::2004 2406:a901:d64b:2c12:29a0:3422:f505:a689
> 25/Jun/2018:12:22:17 +0100   2299 32.175.99.98 17491 188.157.235.133 2000 TCP_TUNNEL/200 174475 CONNECT www.google.com:443 dfrrew HIER_DIRECT/ www.google.com 2a00:1450:4009:815::2004 2406:a901:52f5:b367:b482:40da:36f7:7bf6
> 
> 
> so above is what is what logs i say about .
> 
> 
> all what  i need is to know if the request gone correctly 
> or there was a captcha page 

There is no way to tell from that. CONNECT is a tunnel containing many
encrypted/hidden requests.

Since that is a custom format, I hesitate to say what the above means.


> 
> is there any footprints can i look for to know ?

Not without SSL-Bump decrypting the tunnel contents.

> like message reply size or so as connection encrypted 
> many thanks 
> 

The size of data in the tunnel can give a rough view of whether it did
*something*, vs was dropped by the server. eg sending KB or more data
likely did at least one HTTP request/reply (assuming its actually HTTPS).

Other than that, no. TLS is designed explicitly to hide that type of
info you are looking for.

Amos