This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to find missing http response

0

Hello i have cap file so how can find those packets which response didn't came.

Thanks

Regards Mudasser

asked 18 Mar '13, 23:27

togreatmind's gravatar image

togreatmind
1234
accept rate: 0%

edited 19 Mar '13, 10:08

grahamb's gravatar image

grahamb ♦
19.8k330206


2 Answers:

0

What protocol you are looking at to find missing response?

If it is to find missing HTTP response packets for HTTP requests

One way or analyzing is by going to MENU Statistics > HTTP > Load Distribution and click create stat

The output gives HTTP Requests to server and HTTP Responses from server where one will get a chance to compare and identify for what request the response is missing.

The other way is to display tcp.analysis.flags(duplicate acknowledgements,retransmissions,fast retransmissions etc...)which are generated when an error condition occurs.These packets are really helpful in identifying the error zone.You can play with export information in status bar(the bottom pane) to quickly check these error conditions.

Hope this helps

answered 18 Mar '13, 23:52

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 19 Mar '13, 09:36

I am not able to find those packets which response was missing.means all those packets which dont have response. by mention solution i am not able to find can anyone explain in detail as i am new in wireshark

Thanks Regards Mudasser

(19 Mar '13, 05:55) togreatmind

what protocol are you interested in? We need to know that as "reponse was missing" has a different meaning for different protocols!!

(19 Mar '13, 06:38) Kurt Knochner ♦

I am asking about HTTP

(19 Mar '13, 07:06) togreatmind

Please try to make this aspect clear in your question "how to find missing HTTP Response" will give a better picture to the reader than "how to find missing response" There are protocols which follows request and response model other than HTTP.

(19 Mar '13, 08:46) krishnayeddula

0

I am asking about HTTP

If you mean: There is no HTTP response to a HTTP request, then there is (unfortunately) no easy way to do that in Wireshark, as there is no HTTP protocol flow analysis, similar to TCP SEQ/ACK analysis.

Can you please add why you need that information (what kind of problem are you analyzing)? Maybe there is a another way to solve your problem.

One idea: You could write a Lua Listener for HTTP. Within that Listener it would be possible to record all HTTP requests and check if there is a (valid) response for each request. But that coding needs to be done (not very hard, but not very easy either), unless you find some ready to use Lua script for this.

UPDATE:

please check the latest development version.

According to the answer of @JeffMorris to this question, there is a functionality (implemented in bug8287) that will calculate the delta time between a HTTP request and the response. That feature might help to identify "missing responses" by filtering/sorting on those delta times.

Regards
Kurt

answered 19 Mar '13, 09:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Mar '13, 09:40

Kurt, Will comparing requests vs responses using Statistics > HTTP > Load Distribution and click create stat can give any slight hint? If the ratio between request and response is not equal to 1 then we can move further to verify whether the object got cached for that particular flow or whether it got lost.If it is lost tcp.analysis can help us to debug further correct?

(19 Mar '13, 11:18) krishnayeddula

If the ratio between request and response is not equal to 1

yes, that might/will be a sign for a "missing repsonse" (either not there or not captured!). However, the OP already knows that (or assumes it) and now he/she is looking for a method to find the occurrences in the capture file. Unfortunately there is no simple way (I know of) to find those "missing responses", except the Lua scripting I mentioned. You can also use tshark and some external scripts, but that's just another way of scripting ;-)

If it is lost tcp.analysis can help us to debug further correct?

If you can assume that it got lost, yes. If just the server crashed after it got the request, you won't find the "missing response" with a TCP analysis.

(19 Mar '13, 13:51) Kurt Knochner ♦

see the UPDATE in my answer.

(21 Mar '13, 09:40) Kurt Knochner ♦