This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Understanding Continuation or non-HTTP traffic

0

I'm writing some code to integrate an in-house app into a DVR to retrieve a video file. This is all reverse engineered as there isn't any official documentation, and I'm having trouble understanding the following sequence of events (captured by playing with the DVR's Android app).

936 72.985204   192.168.0.1     192.168.0.200   HTTP    468     POST /cgi-bin/supervisor/NetworkBk.cgi HTTP/1.1  (application/x-www-form-urlencoded)
937 72.985368   192.168.0.200   192.168.0.1     TCP     54      mit-ml-dev > 41859 [ACK] Seq=1 Ack=415 Win=65535 Len=0
938 73.933676   192.168.0.200   192.168.0.1     HTTP    275     HTTP/1.0 200 OK  (video/mpeg4)
939 73.933983   192.168.0.1     192.168.0.200   TCP     54      41859 > mit-ml-dev [ACK] Seq=415 Ack=222 Win=15544 Len=0
940 74.004433   192.168.0.200   192.168.0.1     TCP     74      [TCP segment of a reassembled PDU]
941 74.004887   192.168.0.1     192.168.0.200   TCP     54      41859 > mit-ml-dev [ACK] Seq=415 Ack=242 Win=15544 Len=0
942 74.024669   192.168.0.200   192.168.0.1     HTTP    1346    Continuation or non-HTTP traffic

The HTTP POST requests the video file, which then results in an HTTP 200 response consisting of the string "OK". I get confused as to what happens next. It looks like the video file comes later as part of the Continuation or non-HTTP traffic as I get a lot of these. Isn't the request complete when the HTTP 200 response is received? Why then is it continuing to receive TCP data and then getting a HTTP Continuation or non-HTTP traffic? The subsequent TCP packets contain the video file I'm intending to download. When I manually craft a HTTP POST I get the HTTP OK response and then I'm stumped. How do I access the non-HTTP packets?

This is the code I use to simulate the HTTP POST.

import requests
dc = {"action":"download", "start_time":"2013 7 1 13 59 00", "end_time":"2013 7 14 3 0", "num":"255", "ch":"5"}
r = requests.post("http://192.168.0.200/cgi-bin/supervisor/NetworkBk.cgi", data=dc, auth=(username, password))

This is the RAW response of the HTTP OK reply. As far as I can tell, there is nothing there about expecting extra content.

HTTP/1.0 200 OK
Date: Mon, 01 Jul 2013 15:01:34 GMT
nServer: Linux/2.x UPnP/1.0 Avtech/1.0
Expires: 0
Pragma: no-cache
Cache-Control: no-cache
Connection: close
Content-Type: video/mpeg4
Content-Length: 5

0
OK

What’s going on and how do I get to the Continuation or non-HTTP traffic?

asked 01 Jul ‘13, 12:57

CadentOrange's gravatar image

CadentOrange
1112
accept rate: 0%

2 Answers:

2

The HTTP data part of the response is:

0\r\n
OK

Which is a response of 5 bytes. This is inline with the Content-Length header. The server should not send any more data after these 5 bytes. If it does, it is not following the RFC's. That is probably why Wireshark has some difficulty showing the HTTP data in a normal manner.

answered 01 Jul '13, 13:27

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

This is what I suspected which would explain why tools like wget and my own Python code don't work as expected.

(01 Jul '13, 23:49) CadentOrange

0

The 200 OK is HTTPs return code to the request you sent before - if data is to be delivered as part of the requests answer it will immediately start delivering it withing the very same packet containing the HTTP (Response) Header with the Return Code. So the 200 OK is the start of the data transmission following your request

answered 01 Jul '13, 13:23

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

I guess the part that throws me off is that the content of the HTTP OK response is 5 bytes and the connection is closed immediately after. As SYN-bit has said, this is not RFC compliant and is probably why I'm having trouble reading the response with standard tools. It looks like I will have to keep the socket open and read from it once I've got the OK response.

(01 Jul '13, 23:51) CadentOrange