Ask Your Question

Revision history [back]

No server pkts when following HTTP Stream

What is the difference between follow TCP Stream and follow HTTP Stream?

I'm investigating what we think is a badly configured BigF5 device, but struggling to make sense of the wireshark (windows 64bit version 3.0.0) capture. We've used the following display filter: 'http and http contains "Authorization: NTLM"' This yields a number of GET Request and if I pick one of these now and select Follow HTTP Stream then I see: 145 client pkts, 2 server pkts, 4 turns.

In there are 145 GET requests and 2 server responses:

1 Client GET request
1 Server response
1 Client GET request
1 Server response
143 Client GET requests without server responses

However if I select follow "TCP Stream" on the same original request then I see the client requests and the server responses. 145 client pkts, 247 server pkts, 285 turns

Now that I'm writing this question I can see that the missing server responses seems to be the "304 Not Modified" responses.

Does follow "HTTP Stream" exclude all 304 Not Modified responses sent by the server?