Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] different pdu.len for (HTTP) media/* dissector?

From: varname <varname@xxxxxxxxx>
Date: Thu, 25 Feb 2010 15:23:48 +0100
While figuring out how to access http bodies fom http responses, I noticed something about the reported lengths of pdu's in Lua. Using the following code:


http_extractor_f ="http")
function tap.packet(pinfo, tvb, userdata)
  local http_pdu = http_extractor_f()
  print("pdu.len: " .. tostring(http_pdu.len))

with a tap filtering on http packets I see this:

- whenever a (reassembled) http packet contains a content_type of 'audio/mpeg' the pdu length seems to be equal to: length(http header) + length(http_body).

- for other mime-types (or at least text/html, image/gif and image/jpeg) this does not seem to occur. The http_pdu.len then seems to be equal to the actual length.

Is this expected behaviour, or is my code incorrect / wrong?

Example output (of a somewhat extended script):


pkt.number      : 43
pdu.len         : 630
content_length  : 184
content_type    : text/html; charset=utf-8
body            : yes
media           : no

pkt.number      : 3557
pdu.len         : 3186271
content_length  : 3185898
content_type    : audio/mpeg
body            : no
media           : yes

pkt.number      : 12717
pdu.len         : 314
content_length  : 35
content_type    : image/gif
body            : no
media           : no