Wireshark mailing list archives
Re: HTTP not decoded
From: Sake Blok <sake () euronet nl>
Date: Wed, 3 Nov 2010 17:53:13 +0100
On 3 nov 2010, at 16:30, Srivats P wrote:
Wireshark does not seem to decode TCP port 80 as HTTP for the attached pcap file - instead it shows the HTTP data as "TCP segment data". Is this expected behaviour? Is it because the file does not contain the TCP handshake packets?
The problem is not that wireshark does *not* decode traffic on port 80 as HTTP, but the problem is that it *does* decode this traffic as HTTP, but the contents of the packet is not complete. The HTTP header in the packet is not terminated with a double CR/LF. Therefore Wireshark will continue to search for the remainder of the HTTP header to do reassembly. That's why you see "[TCP segment of a reassembled PDU]". Unfortunately it fails at it's endeavors as the remainder of the HTTP header is not in the tracefile. As Mike pointed out, you can disable the reassembly to make Wireshark interpret each TCP packet to it's best abilities without trying to reassemble data so that full PDU's can be handed over to the HTTP dissector. Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- HTTP not decoded Srivats P (Nov 03)
- Re: HTTP not decoded Marco Simone Zuppone (Nov 03)
- Re: HTTP not decoded M Holt (Nov 03)
- Re: HTTP not decoded Srivats P . (Nov 03)
- Re: HTTP not decoded M Holt (Nov 03)
- Re: HTTP not decoded Srivats P . (Nov 03)
- Re: HTTP not decoded Prigge Scott (Nov 03)
- Re: HTTP not decoded Prigge Scott (Nov 03)
- Re: HTTP not decoded Sake Blok (Nov 03)
- Re: HTTP not decoded Srivats P . (Nov 03)