Wireshark-users: Re: [Wireshark-users] analysing HTTP latencies

From: "Rohit Grover" <rgrover1@xxxxxxxxx>
Date: Wed, 6 Jun 2007 10:53:38 +1200

On 6/5/07, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:

On Fri, Jun 01, 2007 at 04:20:04PM +1200, Rohit Grover wrote:

> Incidentally, upon viewing a simple HTTP dialogue using wireshark, I
> noticed that the server's first HTTP response datagram wasn't tagged
> by wireshark as HTTP. I'm quite sure I'm missing something because a
> something of this sort can't go un-noticed if it is a bug.

Was the HTTP traffic on a standard HTTP port/proxy port?  Wireshark by
default recgonizes traffic on TCP ports 80, 3128, 3132, 8080, 8088,
11371, 3689 as some form of HTTP.  It also recgonizes SSDP over HTTP on
TCP and UDP ports 1900.  There is a preference option to add one more
port to the list of recgonized ports if you need.

I discovered that the problem had to do with packet reassembly. Upon
turning off the option which permits sub-dissectors to reassemble
packets, HTTP reponses spanning multiple packets were correctly
identified.

regards,
Rohit.