Wireshark-bugs: [Wireshark-bugs] [Bug 13116] New: HTTP dissector does not detect response when 2
Bug ID |
13116
|
Summary |
HTTP dissector does not detect response when 204 with Content-type
|
Product |
Wireshark
|
Version |
2.1.x (Experimental)
|
Hardware |
x86-64
|
OS |
Fedora
|
Status |
UNCONFIRMED
|
Severity |
Normal
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
antoine@stickyads.tv
|
Created attachment 15055 [details]
pcap showing 2 HTTP responses in same packet - weird-204.pcap
Build Information:
TShark (Wireshark) 2.1.1 (Git Rev Unknown from unknown)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.48.1, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.11.0, without
Lua, with GnuTLS 3.4.14, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.
Running on Linux 4.8.4-200.fc24.x86_64, with locale en_US.UTF-8, with libpcap
version 1.7.4, with GnuTLS 3.4.16, with Gcrypt 1.6.6, with zlib 1.2.8.
Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz (with SSE4.2)
Built using gcc 6.1.1 20160621 (Red Hat 6.1.1-3).
--
If I run:
tshark -r weird-204.pcap -T fields -e frame.number -e frame.time -e ip.src -e
http.response.code -e http.time
I get this output:
1 Nov 9, 2016 17:45:55.453409000 CET 176.31.224.85
2 Nov 9, 2016 17:45:55.490626000 CET 46.228.164.12
3 Nov 9, 2016 17:45:55.490644000 CET 176.31.224.85
4 Nov 9, 2016 17:45:56.633395000 CET 176.31.224.85
5 Nov 9, 2016 17:45:56.653943000 CET 46.228.164.12
6 Nov 9, 2016 17:45:56.653959000 CET 176.31.224.85
7 Nov 9, 2016 17:46:11.330837000 CET 176.31.224.85
8 Nov 9, 2016 17:46:11.350015000 CET 46.228.164.12 204,204 14.716620000
9 Nov 9, 2016 17:46:11.350034000 CET 176.31.224.85
What I don't understand is that packet 8 seems to have 2 204 responses. If you
look carefully at the packets, you will see that: packet 1 is the HTTP request,
packet 2 is an HTTP response 204 (the first one), packet 3 is an ack for packet
2, packet 4 is the second HTTP request, etc.
I was expecting to have packet 2 dissected as an HTTP response with status 204
but it is not.
Posted for help here:
https://ask.wireshark.org/questions/57217/problem-with-http-dissector-on-204-with-content-type
where I was recommended to post a bug.
If there is a workaround I'm happy to try it.
You are receiving this mail because:
- You are watching all bug changes.