Wireshark-bugs: [Wireshark-bugs] [Bug 3785] Some HTTP responses don't decode with TCP reassembly

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 1 Mar 2010 00:45:31 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3785

--- Comment #8 from aandres@xxxxxxxxxx 2010-03-01 00:45:31 PST ---
(In reply to comment #6)

Hi again Chris.

My apologies in advance.

Found the problem... and it was my fault :)

I was applying your patch in the wrong place (the current req_resp_hdrs.c
differs from yours), in fact I was patching the "if (content_length_found)"
block instead of the "if (content_type_found && pinfo->can_desegment)" block.

Now it works like a charm...

mad:/usr/local/src/wireshark-svn# ./tshark -n -o
"tcp.desegment_tcp_streams:TRUE" -o "http.desegment_headers:TRUE" -o
"http.desegment_body:TRUE" -r /usr/local/src/pcap/two-get-1-resp.pcap  -R
"http.request.method != 0 or http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.173513 192.168.2.200 -> 195.20.242.89 HTTP GET
/pool/updates/main/b/bind9/bind9-host_9.5.1.dfsg.P3-1+lenny1_amd64.deb HTTP/1.1
GET /pool/updates/main/b/bind9/dnsutils_9.5.1.dfsg.P3-1+lenny1_amd64.deb
HTTP/1.1
 85   1.352351 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK 
(application/x-debian-package)
257   1.916961 195.20.242.89 -> 192.168.2.200 HTTP HTTP/1.1 200 OK 
(application/x-debian-package)


Unfortunately now the tcp-bad-order.pcap is not rightly decoded...

mad:/usr/local/src/wireshark-svn# ./tshark -n -o
"tcp.desegment_tcp_streams:TRUE" -o "http.desegment_headers:TRUE" -o
"http.desegment_body:TRUE" -r /usr/local/src/pcap/tcp-bad-order.pcap -R
"http.request.method != 0 or http.response.code != 0"
Running as user "root" and group "root". This could be dangerous.
  4   0.062535  172.17.1.41 -> 195.76.187.83 HTTP GET / HTTP/1.1
 10   0.142165  172.17.1.41 -> 195.76.187.83 HTTP GET /favicon.ico HTTP/1.1
 14   0.272430 195.76.187.83 -> 172.17.1.41  HTTP HTTP/1.1 200 OK  (text/plain)

So, patching the "if (content_length_found)" block the tcp-bad-order.pcap file
is correctly decoded but then the two-get-1-resp.pcap file is badly decoded.

Maybe can I open a new bug assigned to this issue? I'm not sure because it
seems related in some way.

Cheers.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.