Re: HTTP not decoded

[Sake Blok <sake () euronet nl>]

On 3 nov 2010, at 16:30, Srivats P wrote:

> Wireshark does not seem to decode TCP port 80 as HTTP for the attached
> pcap file - instead it shows the HTTP data as "TCP segment data".
>
> Is this expected behaviour? Is it because the file does not contain
> the TCP handshake packets?

The problem is not that wireshark does *not* decode traffic on port 80 as HTTP, but the problem is that it *does* 
decode this traffic as HTTP, but the contents of the packet is not complete. The HTTP header in the packet is not 
terminated with a double CR/LF. Therefore Wireshark will continue to search for the remainder of the HTTP header to do 
reassembly. That's why you see "[TCP segment of a reassembled PDU]". Unfortunately it fails at it's endeavors as the 
remainder of the HTTP header is not in the tracefile.

As Mike pointed out, you can disable the reassembly to make Wireshark interpret each TCP packet to it's best abilities 
without trying to reassemble data so that full PDU's can be handed over to the HTTP dissector.

Cheers,


Sake

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe