c y a �crit :
Hi all,
I'm not able to understand some data I see in wireshark and I hope to 
get some help. Here's my scenario:
1) Host A sends http request to Host B. I see frames related to this.
2) Host B send http response to Host A. This part is where things get 
interesting. I see 2 frames in wireshark related to this
    a) First one is a http protocol message with 1114 bytes. In the IP 
Protocol for this message, Don't fragment and more fragments flags are 
not set. And fragment offset is 0. The data is part of my html content.
    b) Second one is also http protocol message with 798 bytes. This 
says Continuation or non-HTTP Traffic. Again this does not have flags 
in ip protocol set and the fragment offset is 0. The data contains the 
remaining of my content.
Wireshark is able to assemble the data from both the frames in the 
http response. So, this is good.
The thing I do not understand is - how does wireshark assemble the 
frames. Identification field in IP Protocol is also different for the 
frames. Which field does wireshark look at to figure out that this is 
part of a single http response ?
The HTTP response must contains a field Content-Length.
Content-Length = length of data which follow the HTTP header.
HTTP header is finished by an empty line.
Thanks,
cy
------------------------------------------------------------------------
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe