Why Wireshark does not recognize this HTTP response?

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Alois Mahdal on Server Fault See other posts from Server Fault or by Alois Mahdal
Published on 2012-04-05T19:25:18Z Indexed on 2012/04/06 11:33 UTC
Read the original article Hit count: 285

Filed under:
|

I have a trivial CGI script that outputs simple text content. It's written in Perl and using CGI module and it specifies only the most basic headers:

print $q->header(
    -type               => 'text/plain',
    -Content_length     => $length,
);
print $stuff;

There's no apparent issue with functionality, but I'm confused about the fact that Wireshark does not recognize the HTTP response as HTTP--it's marked as TCP.

Here is request and response:

GET /cgi-bin/memfile/memfile.pl?mbytes=1 HTTP/1.1
Host: 10.6.130.38
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: cs,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Date: Thu, 05 Apr 2012 18:52:23 GMT
Server: Apache/2.2.15 (Win32) mod_ssl/2.2.15 OpenSSL/0.9.8m
Content-length: 1048616
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1

XXXXXXXX...

And here is the packet overview (Full packet is here on pastebin)

No.     Time        Source                srcp   Destination           dstp   Protocol Info                                                            tcp.stream abstime
      5 0.112749    10.6.130.38           80     10.6.130.53           48072  TCP      [TCP segment of a reassembled PDU]                              0          20:52:23.228063

Frame 5: 1514 bytes on wire (12112 bits), 1514 bytes captured (12112 bits)
Ethernet II, Src: Dell_97:29:ac (00:1e:4f:97:29:ac), Dst: Dell_3b:fe:70 (00:24:e8:3b:fe:70)
Internet Protocol Version 4, Src: 10.6.130.38 (10.6.130.38), Dst: 10.6.130.53 (10.6.130.53)
Transmission Control Protocol, Src Port: http (80), Dst Port: 48072 (48072), Seq: 1, Ack: 330, Len: 1460

Now when I see this in Wireshark:

  • there's usual TCP handshake
  • then the GET request shown as HTTP with preview
  • then the next packet contains the response, but is not marked as an HTTP response--just a generic "[TCP segment of a reassembled PDU]", and is not caught by "http.response" filter.

Can somebody explain why Wireshark does not recognize it? Is there something wrong with the response?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about http

Related posts about wireshark

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle