This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Websocket unmasking truncates packets

0

(apologies if this is a repost, but I think the forum lost my initial post after I signed up)

I'm debugging an application which sends websocket JSON packets up to 20MB in size. I'm filtering on (websocket). With unmasked (outbound) packets, unmasking appears to truncate the packet.

Outbound (masked) packet

In the tabs below the dump:

Frame (620 bytes) | Reassembled TCP (1483458 bytes) | Unmasked data (262144 bytes)

In the Websocket header:

Extended Payload length (64 bits): 1483444

"Javascript Object Notation" can't be expanded.

Inbound (unmasked) packet

In contrast, when I view an unmasked (inbound) packet:

Tabs:

Frame (1040 bytes) | Reassembled TCP (1477944)

Websocket header:

Extended Payload length (64 bits): 1477934

"Javascript Object Notation" can be expanded.

I'm actually debugging a problem whereby my Java application cannot receive large messages (but is sending them OK), so this doesn't impede my work - but in case it's a bug, I figured I should post here.

asked 24 Nov '16, 07:26

markkc's gravatar image

markkc
6112
accept rate: 0%

One Answer:

0

It's actually not a bug. The Websocket dissector intentionally limits the unmasked data to 256 kbytes:

#define MAX_UNMASKED_LEN (1024 * 256)

I suppose it could be made more obvious that this is what has happened--maybe an expert info would be useful here.

answered 04 Jan '17, 11:42

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%