Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Further HTTP woes...

From: "Bryant Eastham" <beastham@xxxxxxxxxxx>
Date: Thu, 7 Sep 2006 17:12:56 -0600
It appears that HTTP requests/responses that are not chunked and do not
include a Content-Length cannot be decoded correctly. The following
comment appears in the code:

	 * If no content length was supplied (or if a bad content length
	 * was supplied), the amount of data to be processed is the
amount
	 * of data remaining in the frame.
	 *
	 * If there was no Content-Length entity header, we should
	 * accumulate all data until the end of the connection.
	 * That'd require that the TCP dissector call subdissectors
	 * for all frames with FIN, even if they contain no data,
	 * which would require subdissectors to deal intelligently
	 * with empty segments.

My understanding is that the logic to "accumulate all data until the end
of the connection" is not currently possible (or at least not currently
implemented).

I now have the following problem. It is common for our implementation to
dump the headers in one segment and then dump the data in the next, with
no Content-Length. Yes, we should set the Content-Length and the problem
goes away, but the engineer didn't, and shouldn't really have to.

So:

1. The packet with the headers is not passed to my subdissector because
there is no data. The 'if' statement at line 901 of packet-http.c sees
to that.
2. The packet without my headers is passed to my subdissector, but
without the headers I can't tell that it is mine.

A solution would be to create a conversation and attach the header
information to it when I notice that it is my protocol, but that doesn't
work because of #1 - I don't get a chance to create the conversation.

The solution appears to either be to implement the logic described in
the comments - far beyond my meager knowledge - or to pass packets with
no data (but with headers) to subdissectors.

Does this make sense, or am I missing something? Would it be acceptable
to pass zero-data-length packets to subdissectors?

Should I take this offline with the primary HTTP maintainer? And is that
Guy Harris?

Thanks,
Bryant Eastham
Chief Architect
Panasonic Electric Works Laboratory of America, Inc.
Salt Lake City Lab
4525 South Wasatch Blvd., Suite 100, Salt Lake City, Utah 84124
Phone : 801.993.7124 Email: beastham@xxxxxxxxxxx
Fax: 801.993.7260 Web: http://slc.mew.com <http://slc.mew.com/>