Missing TLS/HTTP reassembly of server replies
I'm looking at a traffic capture for an HTTPS connection that just repeatedly requests the same file from the server. If I follow the HTTP stream, I see all the client requests, but the server replies are missing. E.g. in the HTTP follow window I see:
.zRZI.GET /signals/10737/1574792548712.wav HTTP/1.1 Host: public-test-bucket-quatrix.s3.amazona... User-Agent: HTTP.jl/1.5.0-DEV.623 Content-Length: 0
GET /signals/10737/1574792548712.wav HTTP/1.1 Host: public-test-bucket-quatrix.s3.amazona... User-Agent: HTTP.jl/1.5.0-DEV.623 Content-Length: 0
(the first couple bytes are the tail of the first server response, which does get decoded properly). Is there some setting I'm missing that would make this work?
Capture of just this TCP stream available here: https://drive.google.com/open?id=133K...
As that appears to be a TLS stream we're not going to be able to see any HTTP traffic without the necessary decryption material, which in this case will have to be the pre-master secret Are you able to provide that?
Ah, I thought the export would save the key material along with the stream. See here for the key log: https://drive.google.com/open?id=1zlA...
The capture now decrypts. I suspect the number of out-of-order packets and retransmissions are breaking HTTP reassembly. With the following TCP and HTTP preferences set I get the first 6 HTTP responses showing up,but nothing after that:
Thanks, that does help a bit, but I think turning off the "Reassemble out-of-order segments" option, also confuses the TLS dissector into giving some weird packet types later in the stream. Do you think it would be feasible to improve wireshark to allow HTTP reassembly even in the presence of these out-of-order packets?
I've done a bit of work on the TCP reassembly code, and then dissector reassembly, e.g. for UDP, and it's really tricky to work on. I suggest you create a bug over at the Bugzilla and attach this capture and the secrets log file.