This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to re-analyze tcp packets to http after “Out-Of-Order”

0

I use tshark (default options) and get the situation

1329  81.102581 192.168.100.2 → 104.20.6.117 HTTP 589 POST /api/v1/service/get/json HTTP/1.1 
1330  81.107743 104.20.6.117 → 192.168.100.2 TCP 54 80→49439 [ACK] Seq=48519 Ack=7574 Win=47104 Len=0
1331  81.174389 104.20.6.117 → 192.168.100.2 TCP 1514 [TCP segment of a reassembled PDU]
1332  81.174400 104.20.6.117 → 192.168.100.2 HTTP 1029 [TCP Previous segment not captured] Continuation
1333  81.174420 104.20.6.117 → 192.168.100.2 TCP 1514 [TCP Out-Of-Order] 80→49439 [ACK] Seq=49979 Ack=7574 Win=47104 Len=1460
1334  81.174423 104.20.6.117 → 192.168.100.2 HTTP 531 Continuation
1335  81.174439 104.20.6.117 → 192.168.100.2 HTTP 59 Continuation

Can I get a reparsed HTTP request after missing packages? I can see reordered if click "Follow TCP stream" if use wireshark.

asked 11 Nov '16, 04:42

alexey's gravatar image

alexey
6112
accept rate: 0%

edited 10 Jan '17, 06:37

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

No, once TCP's reassembly is messed up (by a missing packet) there's no way for it to recover (for that PDU--it will recover once it can find the start of the next PDU).

(Follow TCP stream fakes it out by telling the consumer--generally a human!--that there are missing bytes. Wireshark's dissectors--e.g., in this case, the HTTP dissector--would not be able to handle that well.)

answered 10 Jan '17, 06:03

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%