Wireshark-bugs: [Wireshark-bugs] [Bug 11079] New: Reassembled chunked HTTP responses over SSL ar
Date: Tue, 24 Mar 2015 16:04:50 +0000
Bug ID 11079
Summary Reassembled chunked HTTP responses over SSL are shown twice in the tree
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter peter@lekensteyn.nl

Created attachment 13523 [details]
SSL capture of a chunked HTTP response (master key in capture file comments)

Build Information:
Tested revisions of wireshark-gtk on Arch Linux x86_64:
v1.99.1rc0-232-g5e4e17c
v1.99.6rc0-9-gce76a64
--
For some reason the dissected HTTP payload is displayed twice in the tree.
Possible factors causing this:

 - SSL records spanning multiple TCP segments.
 - Chunked encoding.

It is probably a bug in the SSL dissector.

Example packet tree of frame 50 (with some headers stripped):

Transmission Control Protocol, Src Port: 443 (443), Dst Port: 50177 (50177),
Seq: 35575, Ack: 758, Len: 1125
[9 Reassembled TCP Segments (16413 bytes): #30(963), #33(1448), #34(1448),
#37(1448), #38(1448), #41(2896), #44(2896), #47(2896), #50(970)]
Secure Sockets Layer
[3 Reassembled SSL segments (32894 bytes): #30(16384), #50(16384), #50(126)]
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Content-Type: text/html; charset=UTF-8\r\n
    Transfer-Encoding: chunked\r\n
    Connection: keep-alive\r\n
    \r\n
    [HTTP response 1/1]
    [Time since request: 0.063950760 seconds]
    [Request in frame: 13]
    HTTP chunked response
        Data chunk (8104 octets)
        Data chunk (8192 octets)
        Data chunk (8192 octets)
        Data chunk (4096 octets)
        Data chunk (4027 octets)
        End of chunked encoding
        \r\n
Line-based text data: text/html
Secure Sockets Layer
[3 Reassembled SSL segments (32894 bytes): #30(16384), #50(16384), #50(126)]
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Content-Type: text/html; charset=UTF-8\r\n
    Transfer-Encoding: chunked\r\n
    Connection: keep-alive\r\n
    \r\n
    [HTTP response 1/1]
    [Time since request: 0.063950760 seconds]
    [Request in frame: 13]
    HTTP chunked response
        Data chunk (8104 octets)
        Data chunk (8192 octets)
        Data chunk (8192 octets)
        Data chunk (4096 octets)
        Data chunk (4027 octets)
        End of chunked encoding
        \r\n
Line-based text data: text/html

The decryption keys (CLIENT_RANDOM + master key) of the attached packet capture
are available in the capture file comments.


You are receiving this mail because:
  • You are watching all bug changes.