Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 6557] New: default HTTP dissector fails to detect HTTP bod

Date: Wed, 9 Nov 2011 22:11:49 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6557

           Summary: default HTTP dissector fails to detect HTTP bodies
                    terminated by connection close
           Product: Wireshark
           Version: 1.7.x (Experimental)
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: ShomeaX@xxxxxxxxx


Created an attachment (id=7394)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7394)
sample capture + screenshots

Build Information:
1.7.0 (rev 39768), windows vista x32
1.6.3 windows vista x32
1.4.6 windows vista x32 / Ubuntu 10.04
--
Precondition: 
Preferences/Protocols/TCP/Allow Reassembling - true
Preferences/Protocols/HTTP/Reassemble HTTP bodies - true

When HTTP response has no Content-Length 
(e.g. HTTP/1.0 response or Transfer-Encoding: chunked) - the attempt to
reassebmle body fails as dissector does not know where message ends.

However, according to HTTP RFC, Content-Length should be deduced from transport
level properties, e.g. when the underlying stream is closed, the message is
considered closed as well.

When server's dst port HTTP TCP stream receives or sends FIN flag, the http
dissector must suppose that last response is complete and report reassembling
completion.

Attached archive has three files : sample capture file and two screenshots with
"Reassemble HTTP bodies" option turned on and off.

Capture contains complete HTTP/1.0 response at packet #5, however if
"reassemble HTTP bodies" is on, it is marked as 'TCP' protocol and [Reassembled
PDU] info (screen-fail.png). The message is completed with the packet #6 having
FIN + ACK flags set, but http dissector does not detect body end.

When "Reassemble HTTP bodies" is off, packet #5 is shown as 'HTTP' protocol
(screen-expected.png)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.