No server pkts when following HTTP Stream

asked 2019-03-21 14:18:36 +0000

What is the difference between follow TCP Stream and follow HTTP Stream?

I'm investigating what we think is a badly configured BigF5 device, but struggling to make sense of the wireshark (windows 64bit version 3.0.0) capture. We've used the following display filter: 'http and http contains "Authorization: NTLM"' This yields a number of GET Request and if I pick one of these now and select Follow HTTP Stream then I see: 145 client pkts, 2 server pkts, 4 turns.

In there are 145 GET requests and 2 server responses:

1 Client GET request
1 Server response
1 Client GET request
1 Server response
143 Client GET requests without server responses

However if I select follow "TCP Stream" on the same original request then I see the client requests and the server responses. 145 client pkts, 247 server pkts, 285 turns

Now that I'm writing this question I can see that the missing server responses seems to be the "304 Not Modified" responses.

Does follow "HTTP Stream" exclude all 304 Not Modified responses sent by the server?

edit retag flag offensive close merge delete


Please provide a link (dropbox, google drive, etc.) to the packet capture for help with diagnosis.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-03-23 18:58:43 +0000 )edit