Please try latest svn of wireshark. I have checked in a fix that makes "reassemble one more segment" work for the rather unusual case (like your capture) when we need to do this multiple times in a row for the same pdu.
Seems IIS didnt like your kerberos auth blob and just reset the connection :-) On 12/19/06, ronnie sahlberg <[EMAIL PROTECTED]> wrote: > The request is complete yes. > The problem here is that HTTP is a very difficult protocol to do > reassembly for and is thus doing reassembly very differently to all > other protocols running over TCP. > When reassembl;ing the ASCII header which have no explicit length that > describes the header length the http dissector instead uses a special > "ask for one more segment at a time" when reassembling the header. > This special kind of reassembly does not work entirely for http > headers that span across more than two tcp segments. I.e. that asks > for "one more segment please" multiple times for the same header. > > I may have a fix for this in the next few days. > > > On 12/16/06, Xiaoguang Liu <[EMAIL PROTECTED]> wrote: > > Yes. I meant fram 8,9,10 > > > > I think this HTTP request is completed. no more data is needed in > subsequent > > frame. We can see 0x0d0a0d0a at the end of frame 10. > > > > I am also wondering why web server reset the connection. but it should not > > do that no matter there some more frames to be recieve or not. a possible > > reason is that the IIS application pool crushed after it recieved the HTTP > > request (frame 8-10). > > > > What I would like to understand is why Wireshark did not reassamble frame > > 8-10. What did it wait for? > > > > > > > > > > On 12/16/06, Stephen Fisher <[EMAIL PROTECTED]> wrote: > > > > > > On Fri, Dec 15, 2006 at 10:09:26PM +0800, Xiaoguang Liu wrote: > > > > > > > in the attachment, frame 7,8,9 shoud be a single HTTP request. Why > > > > wireshark did not reassamble them? Test on Version 0.99.5-SVN-20139 > > > > (SVN Rev 20139), windows xp sp2. I do eanble all reasamble HTTP ..... > > > > options. > > > > > > I believe you meant frames 8, 9, 10? They are being reassembled as you > > > can see from [TCP segment of a reassembled PDU] in the info column. > > > However, as you stated the final reassembled HTTP packet never shows up. > > > My guess would be that more data is expected before it finishes the > > > reassembly, but instead the server resets the connection (RST in the > > > final frame of the capture). Can you reproduce this problem again? > > > > > > > > > Steve > > > _______________________________________________ > > > Wireshark-users mailing list > > > [email protected] > > > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > > > > > > _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
