 | 1 | initial version |
Having briefly looked at the capture file, one thing pops out to me and that is that the determinations you've made are probably based on information presented in square brackets. This information is based not on data in the packets themselves but derived by Wireshark from the context it creates when dissecting other packets.
Initially when loading the file (so, going sequential in packet / time order) the context is created / updated as time progresses. But when you click on individual packets these individual packets are dissected again, to present details.
Now in this case it seems as though the context is being updated as well, in the order you click the packets, so out of order, giving you a false sense of the actual context at the time of previous packets in the capture.
You can see this by using the generated frame links in the HTTP packets. Packet 384 has the original request for file_1.odt (click this packet to see the Full request URI in the HTTP packet). The corresponding response is in packet 444. Click that packet and you'll see the Request URI being for file_1.odt. Now click on packet 448 and check the Full request URI, it's for file_103.odt. Click on packet 444 again and see the Request URI changed to file_103.odt. That's a bug, this change of the Request URI should not have taken place.
Not sure if there is already a bug report on this (haven't searched), but if there isn't you should file one.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
