c y a écrit :
Hi all,
I'm not able to understand some data I see in wireshark and I hope to
get some help. Here's my scenario:
1) Host A sends http request to Host B. I see frames related to this.
2) Host B send http response to Host A. This part is where things get
interesting. I see 2 frames in wireshark related to this
a) First one is a http protocol message with 1114 bytes. In the IP
Protocol for this message, Don't fragment and more fragments flags are
not set. And fragment offset is 0. The data is part of my html content.
b) Second one is also http protocol message with 798 bytes. This
says Continuation or non-HTTP Traffic. Again this does not have flags
in ip protocol set and the fragment offset is 0. The data contains the
remaining of my content.
Wireshark is able to assemble the data from both the frames in the
http response. So, this is good.
The thing I do not understand is - how does wireshark assemble the
frames. Identification field in IP Protocol is also different for the
frames. Which field does wireshark look at to figure out that this is
part of a single http response ?
The HTTP response must contains a field Content-Length.
Content-Length = length of data which follow the HTTP header.
HTTP header is finished by an empty line.
Thanks,
cy
------------------------------------------------------------------------
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe