Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] tcp segments

From: c y <neblinc1@xxxxxxxxx>
Date: Thu, 3 Sep 2009 21:32:28 -0500
Hi all,
I'm not able to understand some data I see in wireshark and I hope to get some help. Here's my scenario:

1) Host A sends http request to Host B. I see frames related to this.
2) Host B send http response to Host A. This part is where things get interesting. I see 2 frames in wireshark related to this
    a) First one is a http protocol message with 1114 bytes. In the IP Protocol for this message, Don't fragment and more fragments flags are not set. And fragment offset is 0. The data is part of my html content.
    b) Second one is also http protocol message with 798 bytes. This says Continuation or non-HTTP Traffic. Again this does not have flags in ip protocol set and the fragment offset is 0. The data contains the remaining of my content.

Wireshark is able to assemble the data from both the frames in the http response. So, this is good.

The thing I do not understand is - how does wireshark assemble the frames. Identification field in IP Protocol is also different for the frames. Which field does wireshark look at to figure out that this is part of a single http response ?


Thanks,
cy