Wireshark mailing list archives
Re: Decode TCP trame cup into different parts
From: Guy Harris <guy () alum mit edu>
Date: Thu, 7 Jan 2010 04:22:01 -0800
On Jan 7, 2010, at 4:03 AM, Olivier-externe GERAULT wrote:
I would like to analyze paquets sent and received but they are cut into many parts and WireShark seems not able to understand the entire message. For example, in the "Follow TCP Stream", I get the result:
{HTTP POST request}
I can see that it is a SOAP response and the begining of the message in quite clear. But, the 2nd paquet is not decoded and I don't knwo how to read it.
What do you mean by "packet" here? That might be two or more TCP segments, but it appears to be a *single* HTTP POST request. It says Content-Encoding: gzip which means that the data in the POST request is gzipped; that's why what comes after Content-Length: 190 and the blank line following the Content-Length line is a bunch of binary data. What does Wireshark show in the packet summary pane? If it's doing reassembly of HTTP headers and data, it should show an HTTP POST, and if you click on that, it should show the entire packet - and possibly even unzip the compressed data and show the XML.
It there an option in WireShark?
There are options for the HTTP dissector (select Edit -> Preferences, open up the Protocols list, and select HTTP) for "Reassemble HTTP headers spanning multiple TCP segments" and "Reassemble HTTP bodies spanning multiple TCP segments"; make sure those options, and "Uncompress entity bodies", are all on (checked). (Also make sure "Reassemble chunked transfer-coded bodies" is on, although that won't affect that *particular* HTTP message.) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Decode TCP trame cup into different parts Olivier-externe GERAULT (Jan 07)
- Re: Decode TCP trame cup into different parts Lior Zarfati (Jan 07)
- Re: Decode TCP trame cup into different parts Guy Harris (Jan 07)
- Re: Decode TCP trame cup into different parts Olivier-externe GERAULT (Jan 07)
- Re: Decode TCP trame cup into different parts Guy Harris (Jan 07)
- Re: Decode TCP trame cup into different parts Guy Harris (Jan 07)
- Re: Decode TCP trame cup into different parts Lior Zarfati (Jan 07)
- Re: Decode TCP trame cup into different parts Guy Harris (Jan 07)