Wireshark-users: Re: [Wireshark-users] How to view TCP responses

From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 9 Apr 2008 11:07:46 +0200
On Wed, Apr 09, 2008 at 10:27:19AM +0200, Steinar Bang wrote:
> Platform: Intel Pentium M, Ubuntu 7.10,
> 	  wireshark 0.99.6rel-3ubuntu0.1
> 
> I've captured an HTTP/1.1 connection on port 33333, using the filter
> 	port 33333
> 
> I've also right clicked the capture, and selected
> 	Decode As...
> and chosen to decode the TCP capture as HTTP.
> 
> In the capture field I see the HTTP request packages, and when I do 
> 	Follow TCP Stream
> I see both the quest and the response.
> 
> However, in the capture packet list I only see the packets related to
> the TCP connection itself, and the "payload" for the HTTP request.  I
> can't find the response "payload" anywhere.
> 
> Obviously the packes are in the capture, because otherwise their content
> wouldn't have been in the "Follow TCP Stream" result.
> 
> Is there a way I can look at the response packages in the dissector?

There has been a bug in the HTTP reassembly logic which made the
HTTP dissector to not show some HTTP responses when the TCP dissector
allowed subdissectors to do reassembly.

You could either turn of reassembly (in the tcp protocol preferences or
in the http protocol preferences) or install a more recent version of
Wireshark (I'm not sure though in which version it was fixed, so you
might want to go straight to the latest version, which is 1.0).

Hope this helps,
Cheers,
    Sake