Feel free to nix this message. I've received some local assistance.
Most definitely not an ethereal problem.
Thanks,
Will
On Thu, 2004-07-15 at 12:02, Will Stockwell wrote:
> Hi,
>
> I'm using ethereal to assist in testing some HTTP analysis stuff I'm
> done. With investigating a bug, I was looking at some packets that were
> part of a response to a simple GET request. The response was chunked
> and my analysis code seemed to parse it fine, but there was a small
> quirk I was looking into when I came across this seemingly incorrect
> parsing of the message.
>
> If you look at the attached ethereal screenshot (I blacked out address,
> but all relevant information should be visible), you'll see in the list
> of packets that packet # 1620 includes a FIN flag. The flow, however,
> appears to continue. Messages like frame # 2216 and 2217 continue for a
> little while. The apparent TCP payload (according to TCP and IP fields)
> is a single byte, but as you can see in the hex display there area
> further 5 bytes following the apparent single payload of 'ff'. The
> checksums all appear to be correct, so this leaves me very confused.
>
> My questions are the following. Is this a weird packet capture/ethereal
> issue or some illicit behavior on the part of the transmitting host?
> The additional bytes beyond the payload in lieu of the correct checksums
> leads me to believe it is the former (how would those 5 extra bytes
> survive a trip across the internet?), but the fact that this packet was
> sent following a packet with a FIN flag set inclines to believe it's
> someone being naughty.
>
> Any input would greatly assist me in understanding what's going on.
> Please CC me with any response as I am not a subscribe to the mailing
> list.
>
>
> Thanks,
>
> Will