On Tue, Oct 04, 2005 at 05:04:17PM -0400, Alex Kirk wrote:
> Hello All,
>
> I was just poking around with the HTTP dissector, wishing that there was a way
> to unzip the body of a gzipped HTTP response in TCP packets 2 through N, when I
> stumbled across HTTP body reassembly. I figured I'd struck gold, but when I
> enabled it and TCP subdissector reassembly, I found that the display of packet 1
> of an HTTP response had not changed at all, and that subsequent packets didn't
> even show HTTP dissection -- I couldn't even click on the body of the packet.
The body of the packet was probably reassembled in a future packet,
which would be displayed as [Reassembled TCP Segment] or something close
to that.
The meat of the packet is still available in the tcp tree.
> At this point, I decided to head to the source, and I ran across a very
> interesting snippet (lines 512-518 of epan/dissectors/packet-http.c in version
> 0.10.12):
>
> if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
> http_desegment_headers, http_desegment_body)) {
> /*
> * More data needed for desegmentation.
> */
> return -1;
> }
>
> This (as well as the fact that searching for "desgment" elsewhere in the file
> yields nothing of interest) suggests to me that reassembly of HTTP response
> bodies is not actually implemented yet, even though an option to do so is
> present in the GUI (I'll reserve comment on the issues with that for now,
> esepecially since I may be wrong). Thus, my questions for you all are:
req_resp_hdrs_do_reassembly() is implemented in req_resp_hdrs.c, which
is the file that actually has the reassembly code in it.
> 1. Is HTTP response body reassembly actually functional, just buried away
> somewhere that I'm missing it?
> 2. If not, are there any major known hurdles to implementing it?
> 3. If it can be implemented with relative ease, is anyone currently working on
> it, or can I take a whack? :-)
Should be fully functional. See http://wiki.ethereal.com/TCP_Reassembly
for all of the correct options that need to be enabled for it to work.
TCP Checksum verification is mentioned on that page, so you'll probably
want to make sure that's set correctly as well.
If everything is working correctly, you'll see the entire reassembled
object in the *last* frame that is relevant to that particular
transaction.
Unfortunately, if there are out of order packets, reassembly will appear
to be working until the out of order packet comes, then will switch to
"Http Continuation," and the reassembly won't work.
--
GPG public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D5B8762
