This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP = Requests + Responses?

0

Hi, I used these 3 filters to count http packet numbers:

For Http packets: "port http"

For Http request packets: "tcp dst port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)"

For Http response packets: "tcp src port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)"

And with this file:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=http.cap I got this result:

Http pkt count= 479 Http req count= 1 Http res count= 168

The question is: How come req + res != total? What are those 310 packets?

Thanks

asked 17 Jun '14, 00:03

abd's gravatar image

abd
21337
accept rate: 0%

edited 17 Jun '14, 00:04

I think those other 310 packets are "continuation or non-http traffic packet" when you enable "Reassemble HTTP Headers spanning multiple TCP Segment" in http preferences, it will disappear.

(17 Jun '14, 05:04) kishan pandey

One Answer:

1

Those 310 packets, are probably those that you filtered 'away' with the following term

(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)

as that the difference between 'port http' which is equivalent to

tcp dst port 80 or tcp scr port 80

So, if you filter for (in the first step)

port http and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)

you should get the same results.

Regards
Kurt

answered 17 Jun '14, 07:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks. Well, there is something that I didn't know about http. There are many packets in response of a request, that don't have Application Layer Header. They're probably the continuation of a response packet(with Application Layer Header) which didn't finished in the response packet itself. So, my stats is actually true. HTTP != Req pkts + Res pkts. Thanks you sooo much for leading me to understand this.

Thanks

(17 Jun '14, 21:09) abd

Good.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(18 Jun '14, 09:48) Kurt Knochner ♦