On Wed, Apr 13, 2011 at 07:53:08PM +0200, Cui Heng wrote:
> If I have HTTP trace of libpcap format, I found wireshark can
> perfectly reassemble the HTTP response data and parse its content(e.g.
> HTML) in clear text. Can some one suggest me which src file(s) or part
> of functions achieve this parsing?
The HTTP dissector handles this - it's in epan/dissectors/packet-http.c.
>From there you'll see it pass off to functions from other files such as
req_resp_hdrs_do_reassembly() in epan/req_resp_hdrs.c. See also
doc/README.developer, section 2.7 "Reassembly/desegmentation for
protocols running atop TCP" for more details on how Wireshark's
reassembly works.