Wireshark-users: Re: [Wireshark-users] Decode TCP trame cup into different parts

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 7 Jan 2010 04:22:01 -0800
On Jan 7, 2010, at 4:03 AM, Olivier-externe GERAULT wrote:

> I would like to analyze paquets sent and received but they are cut into many parts and WireShark seems not able to understand the entire message. 
> For example, in the "Follow TCP Stream", I get the result: 

	{HTTP POST request}

> I can see that it is a SOAP response and the begining of the message in quite clear. 
> But, the 2nd paquet is not decoded and I don't knwo how to read it. 

What do you mean by "packet" here?  That might be two or more TCP segments, but it appears to be a *single* HTTP POST request.  It says

	Content-Encoding: gzip

which means that the data in the POST request is gzipped; that's why what comes after

	Content-Length: 190

and the blank line following the Content-Length line is a bunch of binary data.

What does Wireshark show in the packet summary pane?  If it's doing reassembly of HTTP headers and data, it should show an HTTP POST, and if you click on that, it should show the entire packet - and possibly even unzip the compressed data and show the XML.

> It there an option in WireShark?

There are options for the HTTP dissector (select Edit -> Preferences, open up the Protocols list, and select HTTP) for "Reassemble HTTP headers spanning multiple TCP segments" and "Reassemble HTTP bodies spanning multiple TCP segments"; make sure those options, and "Uncompress entity bodies", are all on (checked).  (Also make sure "Reassemble chunked transfer-coded bodies" is on, although that won't affect that *particular* HTTP message.)