This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a pcap file including 2 TCP streams from the same HTTP server.Displayed in Wireshark, in the 1st stream, the content from HTTP server shown as "Continuation or non-HTTP traffic"; while the 2nd stream the content shown as "TCP segment of a reassembled PDU". I don't find any difference between the 2 kinds at TCP layer.

Could someone tell me how Wireshark identify them? Does Wireshark check HTTP header for content-length?

I have the pcap, but I don't know how to upload the file. Send me email [email protected] for the pcap if you need check for details.

asked 24 May '14, 07:27

shenfanren's gravatar image

shenfanren
26113
accept rate: 0%


This is probably just the result of the TCP stream reassembly feature. To verify, go to Edit -> Preferences -> Protocols -> TCP and disable "Allow subdissector to reassemble TCP streams". Now both should show "Continuation or non-HTTP traffic". Basically the reassembly feature is trying to reconstruct payloads, which is often useful for content examination.

permanent link

answered 24 May '14, 07:38

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for your reply. I did as you said and it is. I wonder why if enable "Allow subdissector to reassemble TCP streams" option, they are shown as different?

(24 May '14, 07:51) shenfanren

send me email [email protected] if you have time to help me check the pcap file.

(24 May '14, 07:54) shenfanren

I don't have time for that, and I see you've got it figured out already. Next time put your traces on http://www.cloudshark.org and post the URL ;-)

(24 May '14, 08:13) Jasper ♦♦

I find the most properly answer in another FAQ syas: The HTTP header "Content-Length" informs the HTTP dissector of how much data is expected and it keeps asking the TCP dissector for more until it receives the required amount.

In short word it based on if "content-length" exist or not.

permanent link

answered 24 May '14, 08:07

shenfanren's gravatar image

shenfanren
26113
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×26
×11
×11

question asked: 24 May '14, 07:27

question was seen: 6,719 times

last updated: 24 May '14, 08:13

p​o​w​e​r​e​d by O​S​Q​A