Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Merging HTTP packets

From: Yang Zhang <yanghatespam@xxxxxxxxx>
Date: Fri, 11 Apr 2008 11:50:01 -0400
Guy Harris wrote:
Yang Zhang wrote:
Hi, I captured some packets with the filter "tcp port 80 and host www.facebook.com". As a result I see a bunch of individual packets - some HTTP, some just TCP, with many of the HTTP messages segmented.

I can ignore the TCP-only packets by typing in 'http' in the filter box, but is there some way to merge the HTTP packets to be whole, unsegmented requests/responses?

Do you have the HTTP preferences

	Reassemble HTTP headers spanning multiple TCP segments

	Reassemble HTTP bodies spanning multiple TCP segments

and the TCP preference

	Allow subdissector to reassemble TCP streams

turned on?  If so, Wireshark should reassemble HTTP requests and responses.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

All of these appear to be enabled.

Here's what I'm seeing:

http://img90.imageshack.us/img90/588/capturingwiresharknw4.png

Follow TCP stream just merges all the HTTP requests/responses together and doesn't do things like gunzip the contents. Also, I'm actually doing "... and net 69.63" rather than "and host www.facebook.com".