Hi Guys, Quetion 1: I captures the HTTPS packets.I applied the pre-master keys.Some url's I am decrypted as HTTP request and response but some url's I am getting "ssl segment of a reassembled pdu". How to resolve this "ssl segment of a reassembled pdu" in wireshark. I want to see the HTTP request and responce for all HTTPS packets. Is there any option to enable or disable in wireshark. Quetion 2: 1) For HTTP I am getting "tcp segment of a reassembled pdu". How to solve this thing to display as HTTP protocol. Quetion 3: 1) some times for HTTP I am getting "continuation or non HTTP traffic". How to solve this thing also. I need urgent reply.Could you please answer the above problem. Thanks for information. Regards, Swathi. asked 08 Feb '16, 23:38 swathi jakkam |
2 Answers:
Swathi, I am afraid your description is too generic so without the capture file along with the pre-master keys file it is hard to say what may be issues. So if you can, post both. But in general: whenever a protocol data unit (PDU) of an application protocol which uses TCP as transport is bigger than the available tcp packet size, it has to be split into several TCP packets. Wireshark shows only the last packet carrying that PDU as containing that application protocol, and the dissection of the PDU is available in that last packet; all the packets before are shown as "segment of a reassembled pdu". Now there are two possible cases:
As for "continuation or non-http traffic", the dissector may be missing the context from the previous packets due to packet loss during capture or because you've started the capture after that http communication has already started. answered 09 Feb '16, 06:18 sindy |
In general if you're seeing "XXX segment of a reassembled pdu" then you're looking at a middle packet which Wireshark isn't going to show you as HTTP or HTTPS because Wireshark needs the full (reassembled) packet in order to decode it properly. Filter for Note: it is possible that the reassembly has actually failed in which case you may not see the reassembled packet. That's common when there are TCP retransmissions or out-of-sequence or missing packets. In these cases generally the best you can do is try to get a better capture. For "continuation or non-http traffic" this usually means Wireshark has missed some packets and is seeing the middle of the HTTP stream without having seen the beginning. This will continue until Wireshark sees another start of an HTTP stream. Again, generally the best you can do is get a better capture that doesn't miss any packets. answered 09 Feb '16, 06:52 JeffMorriss ♦ |