On Nov 11, 2009, at 12:20 AM, Qmo (Yi-Sheng) wrote:
> I want to decode the HTTP packet, but it involves the three packets.
> In Wireshark "Packet bytes Pane", the packet No. 134 shows
> [Reassembled TCP Segments (1938 bytes): #132(272) #133(1460)
> #134(206) ]
> [Frame: 132 , payload: 0-271]
> [Frame: 133 , payload: 272-1731]
> [Frame: 134, payload:1732-1937]
>
> How do Wireshark know this infomation via the cap file?
Because it knows what HTTP responses look like - a Status-Line, a
bunch of {general,response,entity}-headers, a blank line, and a
response body, with the latter terminated either by the byte count
from the headers or by closing the connection - so it accumulates the
contents of TCP segments until it's seen all of that.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
