Wireshark-bugs: [Wireshark-bugs] [Bug 3785] Some HTTP responses don't decode with TCP reassembly
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3785
--- Comment #4 from aandres@xxxxxxxxxx 2010-02-25 07:35:18 PST ---
Me again... :)
Unfortunately your patch doesn't work with my latest attachment
("two-get-1-resp.pcap". :(
The attachment contains 2 GET (within the same frame) and 2 HTTP responses
(both 200 OK).
-------------------
/************************
TSHARK *WITH* CHRIS PATCH
*************************/
mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:TRUE" -o "http.desegment_body:TRUE" -r
two-get-1-resp.pcap -R "http.request.method != 0 or http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
4 0.173513 192.168.2.200 -> 195.20.242.89 HTTP GET
/pool/updates/main/b/bind9/bind9-host_9.5.1.dfsg.P3-1+lenny1_amd64.deb HTTP/1.1
GET /pool/updates/main/b/bind9/dnsutils_9.5.1.dfsg.P3-1+lenny1_amd64.deb
HTTP/1.1
6 0.429444 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK
(application/x-debian-package)
# ...there is lack of 1 HTTP response :(
/***************************
TSHARK *WITHOUT* CHRIS PATCH
****************************/
# Once we removed the Chris patch the output seems right...
mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:TRUE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/two-get-1-resp.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
4 0.173513 192.168.2.200 -> 195.20.242.89 HTTP GET
/pool/updates/main/b/bind9/bind9-host_9.5.1.dfsg.P3-1+lenny1_amd64.deb HTTP/1.1
GET /pool/updates/main/b/bind9/dnsutils_9.5.1.dfsg.P3-1+lenny1_amd64.deb
HTTP/1.1
85 1.352351 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK
(application/x-debian-package)
257 1.916961 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK
(application/x-debian-package)
# ... as you can see now we have the 2 HTTP responses with all the PDU data
reassembled (note the frame number).
# With the http.desegment.headers disabled the output lost 1 of the
responses...
mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:FALSE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/two-get-1-resp.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
4 0.173513 192.168.2.200 -> 195.20.242.89 HTTP GET
/pool/updates/main/b/bind9/bind9-host_9.5.1.dfsg.P3-1+lenny1_amd64.deb HTTP/1.1
GET /pool/updates/main/b/bind9/dnsutils_9.5.1.dfsg.P3-1+lenny1_amd64.deb
HTTP/1.1
6 0.429444 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK
(application/x-debian-package)
-------------------
Hope this helps.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.