Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] why HTTP PDU is not reassambled

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Tue, 19 Dec 2006 09:41:14 +0000
The request is complete yes.
The problem here is that HTTP is a very difficult protocol to do
reassembly for and is thus doing reassembly very differently to all
other protocols running over TCP.
When reassembl;ing the ASCII header which have no explicit length that
describes the header length the http dissector instead uses a special
"ask for one more segment at a time" when reassembling the header.
This special kind of reassembly does not work entirely for http
headers that span across more than two tcp segments. I.e. that asks
for "one more segment please" multiple times for the same header.

I may have a fix for this in the next few days.


On 12/16/06, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:

Yes. I meant fram 8,9,10

I think this HTTP request is completed. no more data is needed in subsequent
frame. We can see 0x0d0a0d0a at the end of frame 10.

I am also wondering why web server reset the connection. but it should not
do that no matter there some more frames to be recieve or not.  a possible
reason is that the IIS application pool crushed after it recieved the HTTP
request (frame 8-10).

What I would like to understand is why Wireshark did not reassamble frame
8-10. What did it wait for?




On 12/16/06, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
>
> On Fri, Dec 15, 2006 at 10:09:26PM +0800, Xiaoguang Liu wrote:
>
> > in the attachment, frame 7,8,9 shoud be a single HTTP request. Why
> > wireshark did not reassamble them? Test on Version 0.99.5-SVN-20139
> > (SVN Rev 20139), windows xp sp2. I do eanble all reasamble HTTP .....
> > options.
>
> I believe you meant frames 8, 9, 10?  They are being reassembled as you
> can see from [TCP segment of a reassembled PDU] in the info column.
> However, as you stated the final reassembled HTTP packet never shows up.
> My guess would be that more data is expected before it finishes the
> reassembly, but instead the server resets the connection (RST in the
> final frame of the capture).  Can you reproduce this problem again?
>
>
> Steve
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube