Wireshark mailing list archives
Re: Question about reassembled fragmentation
From: Guy Harris <guy () alum mit edu>
Date: Wed, 11 Nov 2009 00:25:10 -0800
On Nov 11, 2009, at 12:20 AM, Qmo (Yi-Sheng) wrote:
I want to decode the HTTP packet, but it involves the three packets. In Wireshark "Packet bytes Pane", the packet No. 134 shows [Reassembled TCP Segments (1938 bytes): #132(272) #133(1460) #134(206) ] [Frame: 132 , payload: 0-271] [Frame: 133 , payload: 272-1731] [Frame: 134, payload:1732-1937] How do Wireshark know this infomation via the cap file?
Because it knows what HTTP responses look like - a Status-Line, a bunch of {general,response,entity}-headers, a blank line, and a response body, with the latter terminated either by the byte count from the headers or by closing the connection - so it accumulates the contents of TCP segments until it's seen all of that. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Question about reassembled fragmentation Qmo (Yi-Sheng) (Nov 11)
- Re: Question about reassembled fragmentation Guy Harris (Nov 11)
- Re: Question about reassembled fragmentation Qmo (Yi-Sheng) (Nov 11)
- Re: Question about reassembled fragmentation Jaap Keuter (Nov 11)
- Re: Question about reassembled fragmentation Guy Harris (Nov 11)
- Re: Question about reassembled fragmentation Qmo (Yi-Sheng) (Nov 11)
- Re: Question about reassembled fragmentation Guy Harris (Nov 11)