Wireshark · Ethereal-users: Re: [Ethereal-users] "TCP Segment of a Reassembled PDU" vs. "Continuation or non-HTTP traffic"

[Guy Harris <gharris@xxxxxxxxx>]

Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) wrote:

> I have 2 different trace files, each of which contains an HTTP �POST� 
> request that is split across 2 packets.  In one of the traces, Ethereal 
> displays "TCP Segment of a Reassembled PDU" for the 1^st of these 2 
> packets, and in the other, it displays "Continuation or non-HTTP 
> traffic" for the 2^nd of the 2 packets.
>
> Can someone explain the distinction?

"TCP Segment of a Reassembled PDU" means that Ethereal's doing 
reassembly, which means that

	1) TCP's "Allow subdissector to reassemble TCP streams" preference is 
turned on;

	2) HTTP's reassembly preferences are turned on;

	3) the POST body is either not split across segments or has a 
Content-Length header (currently, HTTP bodies aren't reassembled if they 
don't have a Content-Length header).

"Continuation or non-HTTP traffic means Ethereal's not doing reassembly. 
 Unless you changed the preference settings between the two traces, it 
might be that the second POST doesn't have a Content-Length header.

> One difference in the 2 traces:  In the first trace, HTTP is sent over a 
> non-standard TCP port (3139), and so I have to use �Analyze/Decode as�� 
> to force Ethereal to interpret the traffic as HTTP.  Does that explain 
> the difference in diagnostic messages?

Probably not - the HTTP code path should work the same in either case.