Wireshark-users: Re: [Wireshark-users] HTTP not decoded
From: Prigge Scott <PriggeScottM@xxxxxxxxxxxxx>
Date: Wed, 3 Nov 2010 11:46:41 -0500
I think the reason Wireshark isn't detecting this as HTTP is because the HTTP decoder is smart enough to recognize this isn't a technically valid HTTP request. According to the RFC, there needs to be a blank line separating the final HTTP header and the data, which translates into the sequence 0x0d 0x0a in the bit pattern. Because that string doesn't appear in the place it's supposed to, Wireshark treats this simply as bulk TCP data.

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> bounces@xxxxxxxxxxxxx] On Behalf Of Srivats P
> Sent: Wednesday, November 03, 2010 10:31 AM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] HTTP not decoded
> 
> Hi,
> 
> Wireshark does not seem to decode TCP port 80 as HTTP for the attached
> pcap file - instead it shows the HTTP data as "TCP segment data".
> 
> Is this expected behaviour? Is it because the file does not contain the
> TCP handshake packets?
> 
> Using Wireshark Version 1.2.1 (SVN Rev 29141) on Windows.
> 
> Regards,
> Srivats