Hi!
I have a pretty big capture (see below) of a HTTP session with six
requests in a single connection. According to tcpflow (v 0.21) the
requests themselves add up to 2582 bytes of data and the responses
(inclusive data) add up to 16794419 bytes. The requests are pretty evenly
spread out in the capture (packet nr 4, 8, 3326, 6780, 10196 and 13558
according to Ethereal) and in between are (response) data (and headers).
The problem is when I try to view the whole session with the "Follow TCP
Stream" feature. The first problem is that the drop-down menu where you
select if you want to see the entire conversation or just "one direction"
claims that the entire conversation is just 1850809 bytes long. That's not
what tcpflow says (see above) and can't be correct since the capture file
in itself is a whole 17975621 bytes long (and it contains only this
connection). The second problem is that the last four requests is lumped
together at the end with no response data in between. That's not what
Ethereal's main window says happened and doesn't make sense anyhow.
I first thought this was some sort of size limitation in "Follow
TCP Stream" but I have tested with a much larger capture with success so
that doesn't seem to be the case.
Maybe I have missed something obvious?
Ethereal tested: 0.10.13
The capture is here: http://svartvitt.org/mdna.filtered.pcap.bz2
(BTW, I really like the "Follow TCP Stream" feature!)
Please CC me.
Regards,
s