Ask Your Question

My HTTP 200 OK response has no line based text data, says Expert Info (Note/Malformed): HTTP body subdissector failed, trying heuristic subdissector

asked 2020-09-11 19:52:25 +0000

adinon gravatar image

updated 2020-09-11 21:28:00 +0000

All my other HTTP 200 OK responses have line based text data, besides the ones I have mentioned below. I am trying to see what response is from the instrument. The responses to the packets 47, 64, 84, 110, 127, 1065, 1085, 1111, 1131, 1155, 1172 are the ones that give the malformed expert info . I have attached the pcap file. Wireshark wont let me upload my file so i have linked it as a google drive. Do not know why this is happening. so if someone please let me know how to solve this issue it would be really appreciated. []

edit retag flag offensive close merge delete


The Google drive link got mangled. Can you repost the link?

Chuckc gravatar imageChuckc ( 2020-09-11 20:14:39 +0000 )edit

I have fixed the link in the original post, and copied it here as well.

adinon gravatar imageadinon ( 2020-09-11 21:28:55 +0000 )edit

(RFCs involved so just my $.02)

Those packets are all HTTP 200 responses to POST requests and they have empty body parts.
A better response might be 204 No Content or to not set the Content-Type: text/html.

From what I see in the RFCs, they aren't bad responses so maybe Wireshark could handle better.

Chuckc gravatar imageChuckc ( 2020-09-11 23:23:59 +0000 )edit

Issue 16844 opened to investigate.
Is there any sensitive data in the packet capture? The issue is marked Confidential for now.

Chuckc gravatar imageChuckc ( 2020-09-12 04:03:18 +0000 )edit

@Chuckc thank you for help and quick response. Makes a lot more sense now :)

adinon gravatar imageadinon ( 2020-09-15 17:06:32 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-09-12 09:59:00 +0000

SYN-bit gravatar image

I checked a couple of the responses that have no "line based text data" and all of them have no content:

POST /startSelfTest/Disk%20Storage/1/service HTTP/1.1
Connection: keep-alive
Content-Length: 0
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Thu, 10 Sep 2020 00:34:35 GMT
Content-Type: text/html; charset=utf-8
Server: TwistedWeb/16.0.0


The Transfer-Encoding: chunked header means that content is generated on the fly and that a Content-Length header can't be generated up front. In a chunked response, the response data can consist of multiple chunks. Each chunk will have a header line indicating how much data the chunk has and then the chunk of data. The last "chunk" will have length 0 to indicate that the object is now complete.

In the responses you are looking at, there is only one chunk header with the value 0, indicating there is no data coming from the server. That's why wireshark does not show any "line based text data", there is none to show.

edit flag offensive delete link more


I agree with @Chuckc that wireshark could handle empty responses better. It is not common, but seems to be allowed by the RFC

SYN-bit gravatar imageSYN-bit ( 2020-09-12 10:06:02 +0000 )edit

@SYN-bit thank you for your help and explaining what the different things mean. Makes a lot more sense now

adinon gravatar imageadinon ( 2020-09-15 17:07:12 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-09-11 19:52:25 +0000

Seen: 169 times

Last updated: Sep 12