httphttpsfiddler
Unknown https call from my computer
I captured weird call history from Fiddler.
The call repeatedly occurred.
I searched it with several keywords, but there were no clues.
Anyone know about this?
CNT https://1 CON 216 Context: 67bc Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 6402
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 61ce
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 5dc2
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 5be6
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 581c
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 5642
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 52bd
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 5156
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 4da3
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 4cce
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 4912
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 48c3
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 4510
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 44f3
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 4171
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 4164
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 3e64
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 3e5e
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 3bee
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 3bee
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 39e7
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
CNT https://1 CON 216
Context: 39e7
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 216
Context: 39dd
Last-Msg-Id: 0
------------------------------------------------------------------
CNT https://1 CON 231
Context: 39dd
Last-Msg-Id: 159d428c446a5b3e
------------------------------------------------------------------
Solution
Yeah, I've seen this before, coming from the Windows Explorer process. It's harmless, but basically what's happening is the client is trying to send non HTTP traffic through a HTTPS proxy tunnel, and because it's not legal HTTPS traffic, you get the weird parsing errors as shown in your screenshot.
Sadly, I don't remember my findings about what specific Windows feature causes this. See the wnpconnmanager.cpp remark at https://github.com/cvandeplas/plaso/blob/master/test_data/skydriveerr.log, maybe this is from the Windows Notification Service?