Ask Your Question
0

Follow HTTP stream vs Follow TCP stream bug?

asked 2019-12-13 00:31:07 +0000

wbenton gravatar image

When I view HTTP streams vs TCP streams, the displayed content varies depending on whether I have [Allow TCP subdissector reassembly] turned on or off.

If Reassembly is allowed, follow TCP stream shows correct display but follow HTTP stream doesn't show proper context. It only shows the initial client request with no server reply.

But if reassembly is not allowed, follow TCP stream and follow HTTP stream does show the exact same context with both initial client request and server reply.

My question then is... is this a bug or what? I hate to have to toggle between allow and disallow reassembly just to see the proper follow HTTP display!

edit retag flag offensive close merge delete

Comments

Do you see this behavior with every HTTP capture or with a specific capture file? Are you able to share the pcap file on a public file sharing service to have a look at?

(please make sure there is no sensitive data in the capture file if you do share the file)

SYN-bit gravatar imageSYN-bit ( 2019-12-14 12:37:44 +0000 )edit

The file came from an old Malware-Traffic-Analysis.net file. Zipped Sniffer File The zipped file is encrypted. The password is [infected]. I've not tried it with anything more recent and thus don't know for sure whether the problem is only with this file or others as well. Filter on [tcp.stream eq 47] to get a quick view. Perhaps it's just this stream as it works for some other strings, but this string is the one I first noticed it occuring.

wbenton gravatar imagewbenton ( 2019-12-14 12:52:15 +0000 )edit

Further analysis of that file I previously mentioned, the problem ONLY seems to occur in streams 40, 41, 43, 45, 46 and 47. Streams 38 & 39 are from the same destination IP but the HTTP displays properly. So perhaps a malformed HTTP packet in this trace or perhaps a bug from an older version of Wireshark from 2015!

wbenton gravatar imagewbenton ( 2019-12-14 13:39:23 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-12-14 14:15:26 +0000

SYN-bit gravatar image

TCP stream 47 does not contain a full HTTP response (as the client sends a TCP/RST right after the request). This means the HTTP dissector will not be able to reassemble the HTTP response, as there is data missing. You can see that there is no HTTP response in the packet-list. As follow-http-stream relies on the http dissector to collect full HTTP requests and responses it can't show the snippet of the http response that was sent before the TCP/RST was received by the server.

The reason it does work with reassembly turned off, is that then the http dissector only needs the first part of the response to mark that packet as the http-response.

edit flag offensive delete link more

Comments

Makes sense. Thanks for the explanation.

wbenton gravatar imagewbenton ( 2019-12-14 14:40:32 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-12-13 00:31:07 +0000

Seen: 2,271 times

Last updated: Dec 14 '19

Related questions

What happened to reassemble_tcp?

How to parse the tcp data with fragments in lua

Certficate [TCP segment of a ressembled PDU] -- WHY/WHAT causes it?

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?