Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-users: Re: [Ethereal-users] Question on Continuation Data

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 13 Feb 2002 17:32:28 -0800
On Wed, Feb 13, 2002 at 10:34:11AM -0500, Mcauliffe, Kristin wrote:
> We are using ethereal to analyze client authentication in accessing a
> web page and I cannot find an answer on what describes 'Continuation
> data' and 'Application Data' as listed in the info section of captured
> file.

"Continuation data" isn't use for HTTP traffic; it does label stuff as
"Continuation" (without the "data").

For HTTP traffic, it refers to any packet that *doesn't* begin with an
HTTP request or reply line.  If, for example, the user fetches a Web
page that doesn't fit in a single TCP segment (the size of which would
be limited to about 1460 bytes of data if you're running over Ethernet),
the first packet of the reply wouldn't be marked as a continuation (as
it'd begin with an HTTP reply), but all subsequent packets of the reply
would be.

"Continuation data", with the "data", is the label given to
NetBIOS-over-TCP packets (used for SMB/CIFS, i.e.  file sharing using
the standard Windows file-sharing protocol) and RPC packets (most likely
used for NFS, i.e.  file sharing using the most common UNIX file-sharing
protocol) that don't start with a NetBIOS-over-TCP or RPC header; those
would most likely be packets after the first packet of an SMB/CIFS or
NFS read reply or request.

"Application data" is used for SSL application data.  Ethereal does
*NOT* decrypt encrypted SSL data, so it can't label it as anything other
than "Application data".