Wireshark-bugs: [Wireshark-bugs] [Bug 3785] Some HTTP responses don't decode with TCP reassembly
Date: Thu, 25 Feb 2010 07:35:23 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3785

--- Comment #4 from aandres@xxxxxxxxxx 2010-02-25 07:35:18 PST ---
Me again... :)

Unfortunately your patch doesn't work with my latest attachment
("two-get-1-resp.pcap". :(

The attachment contains 2 GET (within the same frame) and 2 HTTP responses
(both 200 OK).

-------------------

/************************
TSHARK *WITH* CHRIS PATCH
*************************/

mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:TRUE" -o "http.desegment_body:TRUE" -r
two-get-1-resp.pcap -R "http.request.method != 0 or http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.173513 192.168.2.200 -> 195.20.242.89 HTTP GET
/pool/updates/main/b/bind9/bind9-host_9.5.1.dfsg.P3-1+lenny1_amd64.deb HTTP/1.1
GET /pool/updates/main/b/bind9/dnsutils_9.5.1.dfsg.P3-1+lenny1_amd64.deb
HTTP/1.1
  6   0.429444 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK 
(application/x-debian-package)

# ...there is lack of 1 HTTP response :(


/***************************
TSHARK *WITHOUT* CHRIS PATCH
****************************/

# Once we removed the Chris patch the output seems right...

mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:TRUE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/two-get-1-resp.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.173513 192.168.2.200 -> 195.20.242.89 HTTP GET
/pool/updates/main/b/bind9/bind9-host_9.5.1.dfsg.P3-1+lenny1_amd64.deb HTTP/1.1
GET /pool/updates/main/b/bind9/dnsutils_9.5.1.dfsg.P3-1+lenny1_amd64.deb
HTTP/1.1
 85   1.352351 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK 
(application/x-debian-package)
257   1.916961 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK 
(application/x-debian-package)

# ... as you can see now we have the 2 HTTP responses with all the PDU data
reassembled (note the frame number).



# With the http.desegment.headers disabled the output lost 1 of the
responses...

mad:/tmp# tshark -n -o "tcp.desegment_tcp_streams:TRUE" -o
"http.desegment_headers:FALSE" -o "http.desegment_body:TRUE" -r
/usr/local/src/pcap/two-get-1-resp.pcap -R "http.request.method != 0 or
http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.173513 192.168.2.200 -> 195.20.242.89 HTTP GET
/pool/updates/main/b/bind9/bind9-host_9.5.1.dfsg.P3-1+lenny1_amd64.deb HTTP/1.1
GET /pool/updates/main/b/bind9/dnsutils_9.5.1.dfsg.P3-1+lenny1_amd64.deb
HTTP/1.1
  6   0.429444 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK 
(application/x-debian-package)

-------------------

Hope this helps.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.