Wireshark-bugs: [Wireshark-bugs] [Bug 3785] Some HTTP responses don't decode with TCP reassembly
Date: Thu, 25 Feb 2010 06:43:53 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3785

aandres@xxxxxxxxxx changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aandres@xxxxxxxxxx

--- Comment #2 from aandres@xxxxxxxxxx 2010-02-25 06:43:50 PST ---
Chris, I'm not totally sure about your findings, I'm facing the same problem
but in a different scenario, surprisingly your patch worked successfully in my
context. :)

See below...

////////////////////////
# tshark -v
TShark 1.3.4 (SVN Rev 32003 from /trunk)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.16.6, with libpcap 0.9.8, with libz 1.2.3.3, without POSIX
capabilities, without libpcre, without SMI, without c-ares, without ADNS, with
Lua 5.1, without Python, with GnuTLS 2.4.2, with Gcrypt 1.4.1, without
Kerberos,
without GeoIP.

Running on Linux 2.6.26-2-amd64, with libpcap version 0.9.8, GnuTLS 2.4.2,
Gcrypt 1.4.1.

Built using gcc 4.3.2.
////////////////////////

/***************************
TSHARK *WITHOUT* CHRIS PATCH
****************************/

# As you can see, my capture file contains a response splitted in 2 packets
# with "TCP Out-Of-Order" but the full response has a Content-type as well a
# Content-lenght header.

# First take a look to the Tshark output enabling all of the desegment features
# (tcp, http headers and http body):

mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:TRUE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/tcp-bad-order.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.062535  172.17.1.41 -> 195.76.187.83 HTTP GET / HTTP/1.1
 10   0.142165  172.17.1.41 -> 195.76.187.83 HTTP GET /favicon.ico HTTP/1.1
 14   0.272430 195.76.187.83 -> 172.17.1.41  HTTP HTTP/1.1 200 OK  (text/plain)

# Unfortunately the splitted response is not decoded... :(


# Now we try it but just disabling the "desegment http headers"...

mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:FALSE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/tcp-bad-order.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.062535  172.17.1.41 -> 195.76.187.83 HTTP GET / HTTP/1.1
  8   0.131416 195.76.187.83 -> 172.17.1.41  HTTP [TCP Out-Of-Order] HTTP/1.1
200 OK  (text/html)
 10   0.142165  172.17.1.41 -> 195.76.187.83 HTTP GET /favicon.ico HTTP/1.1
 11   0.209427 195.76.187.83 -> 172.17.1.41  HTTP HTTP/1.1 200 OK  (text/plain)

# Now the response is decoded, interesting, go to next step... :o


/************************
TSHARK *WITH* CHRIS PATCH
*************************/

# Ok I've applied your patch, take another look...

# ...first with all features enabled...

mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:TRUE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/tcp-bad-order.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.062535  172.17.1.41 -> 195.76.187.83 HTTP GET / HTTP/1.1
  8   0.131416 195.76.187.83 -> 172.17.1.41  HTTP [TCP Out-Of-Order] HTTP/1.1
200 OK  (text/html)
 10   0.142165  172.17.1.41 -> 195.76.187.83 HTTP GET /favicon.ico HTTP/1.1
 11   0.209427 195.76.187.83 -> 172.17.1.41  HTTP HTTP/1.1 200 OK  (text/plain)

# ...It works! Now with "desegment http headers" disabled...

mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:FALSE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/tcp-bad-order.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.062535  172.17.1.41 -> 195.76.187.83 HTTP GET / HTTP/1.1
  8   0.131416 195.76.187.83 -> 172.17.1.41  HTTP [TCP Out-Of-Order] HTTP/1.1
200 OK  (text/html)
 10   0.142165  172.17.1.41 -> 195.76.187.83 HTTP GET /favicon.ico HTTP/1.1
 11   0.209427 195.76.187.83 -> 172.17.1.41  HTTP HTTP/1.1 200 OK  (text/plain)

# Please, people from the dev-team... could anyone take a more deeply look to
the Chris patch?

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.