This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello. I'm trying to analyze some HTTP trafic, in the older version of wireshark, requests and responses were displayed in the same window, but after an update I can only see requests or only responses, they are in different streams for some reason.

asked 16 Feb '15, 21:58

blaine's gravatar image

blaine
6113
accept rate: 0%

Which version of wireshark were you using when it still worked and which version are you using now?

If you can supply the capture file (on Cloudshark for instance), that would be great. You can anonimize the file with TraceWrangler if you need to remove the ip addresses and/or the TCP payload of the packets.

(17 Feb '15, 00:31) SYN-bit ♦♦

here it is: https://www.cloudshark.org/captures/28457348b590

I don't remember what version it was exactly, but it was few months ago. I needed to see why something isn't working so I launched wireshark, and it requested an update, I updated and...

(17 Feb '15, 08:08) blaine

but after an update I can only see requests or only responses, they are in different streams for some reason.

this is (most certainly) not a Wireshark issue, but an issue with the capture file. Take a look at frame #1 and frame #2 and you'll realize that the capture file (most certainly) has been modified with some tools and something went wrong.

Reasons:

Frame #1: SEQ = 4259920039
Frame #2: ACK = 4259920040

So, frame #2 is (most certainly) the SYN-ACK for the SYN in frame #1, however with different source ports.

Furthermore, the src-mac and dst-mac in frame #2 is IDENTICAL !?! Same for other frames...

My conclusion: This capture file has been run through an pcap anonymization tool and something went wrong.

Regards
Kurt

permanent link

answered 17 Feb '15, 14:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Feb '15, 14:53

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×29

question asked: 16 Feb '15, 21:58

question was seen: 1,337 times

last updated: 17 Feb '15, 14:53

p​o​w​e​r​e​d by O​S​Q​A