This is our old Q&A Site. Please post any new questions and answers at

I'm writing some code to integrate an in-house app into a DVR to retrieve a video file. This is all reverse engineered as there isn't any official documentation, and I'm having trouble understanding the following sequence of events (captured by playing with the DVR's Android app).

936 72.985204   HTTP    468     POST /cgi-bin/supervisor/NetworkBk.cgi HTTP/1.1  (application/x-www-form-urlencoded)
937 72.985368     TCP     54      mit-ml-dev > 41859 [ACK] Seq=1 Ack=415 Win=65535 Len=0
938 73.933676     HTTP    275     HTTP/1.0 200 OK  (video/mpeg4)
939 73.933983   TCP     54      41859 > mit-ml-dev [ACK] Seq=415 Ack=222 Win=15544 Len=0
940 74.004433     TCP     74      [TCP segment of a reassembled PDU]
941 74.004887   TCP     54      41859 > mit-ml-dev [ACK] Seq=415 Ack=242 Win=15544 Len=0
942 74.024669     HTTP    1346    Continuation or non-HTTP traffic

The HTTP POST requests the video file, which then results in an HTTP 200 response consisting of the string "OK". I get confused as to what happens next. It looks like the video file comes later as part of the Continuation or non-HTTP traffic as I get a lot of these. Isn't the request complete when the HTTP 200 response is received? Why then is it continuing to receive TCP data and then getting a HTTP Continuation or non-HTTP traffic? The subsequent TCP packets contain the video file I'm intending to download. When I manually craft a HTTP POST I get the HTTP OK response and then I'm stumped. How do I access the non-HTTP packets?

This is the code I use to simulate the HTTP POST.

import requests
dc = {"action":"download", "start_time":"2013 7 1 13 59 00", "end_time":"2013 7 14 3 0", "num":"255", "ch":"5"}
r ="", data=dc, auth=(username, password))

This is the RAW response of the HTTP OK reply. As far as I can tell, there is nothing there about expecting extra content.

HTTP/1.0 200 OK
Date: Mon, 01 Jul 2013 15:01:34 GMT
nServer: Linux/2.x UPnP/1.0 Avtech/1.0
Expires: 0
Pragma: no-cache
Cache-Control: no-cache
Connection: close
Content-Type: video/mpeg4
Content-Length: 5


What's going on and how do I get to the Continuation or non-HTTP traffic?

asked 01 Jul '13, 12:57

CadentOrange's gravatar image

accept rate: 0%

The HTTP data part of the response is:


Which is a response of 5 bytes. This is inline with the Content-Length header. The server should not send any more data after these 5 bytes. If it does, it is not following the RFC's. That is probably why Wireshark has some difficulty showing the HTTP data in a normal manner.

permanent link

answered 01 Jul '13, 13:27

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

This is what I suspected which would explain why tools like wget and my own Python code don't work as expected.

(01 Jul '13, 23:49) CadentOrange

The 200 OK is HTTPs return code to the request you sent before - if data is to be delivered as part of the requests answer it will immediately start delivering it withing the very same packet containing the HTTP (Response) Header with the Return Code. So the 200 OK is the start of the data transmission following your request

permanent link

answered 01 Jul '13, 13:23

Landi's gravatar image

accept rate: 28%

I guess the part that throws me off is that the content of the HTTP OK response is 5 bytes and the connection is closed immediately after. As SYN-bit has said, this is not RFC compliant and is probably why I'm having trouble reading the response with standard tools. It looks like I will have to keep the socket open and read from it once I've got the OK response.

(01 Jul '13, 23:51) CadentOrange
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 01 Jul '13, 12:57

question was seen: 17,584 times

last updated: 01 Jul '13, 23:51

p​o​w​e​r​e​d by O​S​Q​A