Wireshark-bugs: [Wireshark-bugs] [Bug 13116] New: HTTP dissector does not detect response when 2
Date: Wed, 09 Nov 2016 21:41:34 +0000
Bug ID 13116
Summary HTTP dissector does not detect response when 204 with Content-type
Product Wireshark
Version 2.1.x (Experimental)
Hardware x86-64
OS Fedora
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter antoine@stickyads.tv

Created attachment 15055 [details]
pcap showing 2 HTTP responses in same packet - weird-204.pcap

Build Information:
TShark (Wireshark) 2.1.1 (Git Rev Unknown from unknown)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.48.1, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.11.0, without
Lua, with GnuTLS 3.4.14, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.

Running on Linux 4.8.4-200.fc24.x86_64, with locale en_US.UTF-8, with libpcap
version 1.7.4, with GnuTLS 3.4.16, with Gcrypt 1.6.6, with zlib 1.2.8.
Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz (with SSE4.2)

Built using gcc 6.1.1 20160621 (Red Hat 6.1.1-3).

--
If I run:

tshark -r weird-204.pcap -T fields -e frame.number -e frame.time -e ip.src -e
http.response.code -e http.time

I get this output:

1   Nov  9, 2016 17:45:55.453409000 CET 176.31.224.85       
2   Nov  9, 2016 17:45:55.490626000 CET 46.228.164.12       
3   Nov  9, 2016 17:45:55.490644000 CET 176.31.224.85       
4   Nov  9, 2016 17:45:56.633395000 CET 176.31.224.85       
5   Nov  9, 2016 17:45:56.653943000 CET 46.228.164.12       
6   Nov  9, 2016 17:45:56.653959000 CET 176.31.224.85       
7   Nov  9, 2016 17:46:11.330837000 CET 176.31.224.85       
8   Nov  9, 2016 17:46:11.350015000 CET 46.228.164.12   204,204 14.716620000
9   Nov  9, 2016 17:46:11.350034000 CET 176.31.224.85

What I don't understand is that packet 8 seems to have 2 204 responses. If you
look carefully at the packets, you will see that: packet 1 is the HTTP request,
packet 2 is an HTTP response 204 (the first one), packet 3 is an ack for packet
2, packet 4 is the second HTTP request, etc.

I was expecting to have packet 2 dissected as an HTTP response with status 204
but it is not.

Posted for help here:
https://ask.wireshark.org/questions/57217/problem-with-http-dissector-on-204-with-content-type
where I was recommended to post a bug.

If there is a workaround I'm happy to try it.


You are receiving this mail because:
  • You are watching all bug changes.