This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the difference between “Continuation or non-HTTP traffic” and “TCP segment of a reassembled PDU”

1

I have a pcap file including 2 TCP streams from the same HTTP server.Displayed in Wireshark, in the 1st stream, the content from HTTP server shown as "Continuation or non-HTTP traffic"; while the 2nd stream the content shown as "TCP segment of a reassembled PDU". I don't find any difference between the 2 kinds at TCP layer.

Could someone tell me how Wireshark identify them? Does Wireshark check HTTP header for content-length?

I have the pcap, but I don't know how to upload the file. Send me email [email protected] for the pcap if you need check for details.

asked 24 May '14, 07:27

shenfanren's gravatar image

shenfanren
26113
accept rate: 0%


2 Answers:

0

This is probably just the result of the TCP stream reassembly feature. To verify, go to Edit -> Preferences -> Protocols -> TCP and disable "Allow subdissector to reassemble TCP streams". Now both should show "Continuation or non-HTTP traffic". Basically the reassembly feature is trying to reconstruct payloads, which is often useful for content examination.

answered 24 May '14, 07:38

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for your reply. I did as you said and it is. I wonder why if enable "Allow subdissector to reassemble TCP streams" option, they are shown as different?

(24 May '14, 07:51) shenfanren

send me email [email protected] if you have time to help me check the pcap file.

(24 May '14, 07:54) shenfanren

I don't have time for that, and I see you've got it figured out already. Next time put your traces on http://www.cloudshark.org and post the URL ;-)

(24 May '14, 08:13) Jasper ♦♦

0

I find the most properly answer in another FAQ syas: The HTTP header "Content-Length" informs the HTTP dissector of how much data is expected and it keeps asking the TCP dissector for more until it receives the required amount.

In short word it based on if "content-length" exist or not.

answered 24 May '14, 08:07

shenfanren's gravatar image

shenfanren
26113
accept rate: 0%