On Nov 11, 2009, at 12:20 AM, Qmo (Yi-Sheng) wrote:
I want to decode the HTTP packet, but it involves the three packets.
In Wireshark "Packet bytes Pane", the packet No. 134 shows
[Reassembled TCP Segments (1938 bytes): #132(272) #133(1460)
#134(206) ]
[Frame: 132 , payload: 0-271]
[Frame: 133 , payload: 272-1731]
[Frame: 134, payload:1732-1937]
How do Wireshark know this infomation via the cap file?
Because it knows what HTTP responses look like - a Status-Line, a
bunch of {general,response,entity}-headers, a blank line, and a
response body, with the latter terminated either by the byte count
from the headers or by closing the connection - so it accumulates the
contents of TCP segments until it's seen all of that.