This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi

We are facing some issue in which client(browser IE8) intermittently fails to download file over HTTPS. First time it successfully downloads the file on subsequent attempt it downloads the file partially 50MB out of 133 MB and says download is successful.

wireshark dump says that after some time client sends FIN, ACK

asked 14 Dec '12, 04:21

lodha13's gravatar image

lodha13
1112
accept rate: 0%

edited 14 Dec '12, 04:22


That sounds like a cache issue. Do you use any HTTP caches? If so, did you try to clear those caches?

If that does not solve the problem, we really need more information. If possible, post the capture file somewhere (one-click hoster or cloudshark.org). Beware privacy issues with the content in the capture file!

Regards
Kurt

permanent link

answered 14 Dec '12, 06:39

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks for replying. Issue is only seen in HTTPS not in HTTP, I have cleared the browser cache but even then the issue occurs.

I understand that without network capture it is difficult to investigate but capture contains confidential information.

I can tell you about packet capture, Client is receiving data which can be seen by acknowledment number but just at 40.7 MB client sends FIN, ACK and then eventually closes the connection.

Sometimes client sends RST, ACK.

Can you tell me how client knows that it has received the complete file and it has to end the connection now.

I mean at 41.7 MB only that condition occurs which tells the client that it has received the complete file and has to end the connection. (just a thought)

(14 Dec '12, 08:36) lodha13

I understand that without network capture it is difficult to investigate but capture contains confidential information.

If it's HTTPS (encrypted data, nobody can read it), how confidential can it be? ;-)) If you are concerned regarding the IP addresses, I suggest to use a pcap anonymization tool.

BTW: Do you have access to the server private key to decrypt the HTTPS data stream? If no, then you will probably have a hard time to analyze the problem. In that case I suggest to use Fiddler2 (google it) to analyze the problem.

(14 Dec '12, 10:21) Kurt Knochner ♦

Can you tell me how client knows that it has received the complete file and it has to end the connection now.

well, if it's really the client who ends the connection (I can't confirm without a capture file), then 'something' within the client leads to this decision. This could be:

  • a timeout condition on the client
  • the client thinks it has downloaded the whole file (due to a size information from the server when it requested the "file").
  • the client has no space left on disk to write the (temp) file
  • some security software at the client (AV, IDS, Endpoint Security) closes the connection as it believes to have found malware, an attack, etc.

So, there are numerous reasons for that kind of behaviour.

Is this a plain file download or some web application with code on the client (Java, Javascript)?

(14 Dec '12, 10:35) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×91
×69
×36
×7

question asked: 14 Dec '12, 04:21

question was seen: 3,341 times

last updated: 14 Dec '12, 10:35

p​o​w​e​r​e​d by O​S​Q​A