This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP request was not displayed in my wireshark.

0
1

I have a pcap extracted from a malware pcap. It looks like a simple HTTP transaction, but I don't know why it looks different on my wireshark (1.10.6): packet 4 is not shown as the HTTP transaction (it's shown as TCP segment of a reassemblied PDU. The HTTP request is shown for packet 9.

I know my wireshark (which is a little old), but a little surprised that this basic pcap has the problem. Just want to confirm.

pcap

asked 23 Jun '15, 22:07

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

0

Go to Edit > Preferences > Protocols > TCP and uncheck "Allow subdissector to reassemble TCP streams."

answered 23 Jun '15, 22:22

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thanks @jim-aragon. It helps. Wonder exactly what "Allow subdissector to reassemble TCP streams." means here. After all, Packet 7,8,9 don't have any TCP data, packet 4 has all the tcp data for a complete HTTP request. Wonder why is the need for changing the option "Allow subdissector to reassemble TCP streams.". Thanks.

(24 Jun '15, 06:26) pktUser1001