This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP dissector failed to re-assemble

0

I'm using wireshark to sniff HTTPs packets.

In some cases, HTTPs response was not reassembled by wireshark.

I give all ssl session keys to wireshark, so keys doesn't cause the problem.

When I followed SSL stream, I got the result below.

GET /api/webimage/5357a5d5090b5553a9c78ed2-1-large.jpg HTTP/1.1
host: contestimg.wish.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N916S Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.97 Mobile Safari/537.36

HTTP/1.1 200 OK Content-Type: image/jpeg Content-Length: 181501 Connection: keep-alive Date: Wed, 29 Mar 2017 07:35:48 GMT Cache-Control: max-age=1208728 ETag: "99df3c51782782beb9ef06ab89c911990521e3f6" Server: TornadoServer/2.1git-cl Timing-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 1787e729a1c3fb1d4583d4cb9052972b.cloudfront.net (CloudFront) X-Amz-Cf-Id: QayZ8W4yd8fjBeGqcL1Fzzy1cVQATFyYabfxE5LkMUz7bN60DGq74A==

……JFIF………….C………………………………. … ……

….. .

…C……….. …

Also, when I followed HTTP stream, I got the result below which shows only request.

GET /api/webimage/5357a5d5090b5553a9c78ed2-1-large.jpg HTTP/1.1
host: contestimg.wish.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N916S Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.97 Mobile Safari/537.36

Actually, this was an image request, and I got the image and saw in a mobile.

In addition, all TLSv1.2(HTTPs) packets related to this HTTP response seemed to be collected when I saw wireshark.

What should I do to solve this problem?

When wireshark’s HTTP dissector fails to reassemble HTTP request/response?

Is it possible that wireshark’s HTTP dissector fail although all packets related to HTTP request/response arrived?

Thank you

asked 29 Mar '17, 02:21

Hyunho's gravatar image

Hyunho
6112
accept rate: 0%