psh,ack中的http response header

psh,ack中的http response header

 

wireshark抓包的tcp流中只有http get请求，没有response的情况

wireshark官网中有一个问答如下

https://osqa-ask.wireshark.org/questions/6216/what-makes-a-packet-an-http-one

 

What makes a packet an HTTP one

I am trying to figure out why WireShark does not treat a packet as an HTTP one. Here is the scenario: A client ( from port x) sends a GET request to a server (to port 80). In response, the server (from port 80) sends a packet to the client (to port 80). WireShark recognizes the client -> server packet as an HTTP one, but does not recognize the response packet as an HTTP one even though it has the status line HTTP/1.0 200 OK.

I am wondering if anyone could offer some clue for understanding this. The response packet is the following:

Transmission Control Protocol, Src Port: http (80), Dst Port: 50374 (50374), Seq: 1, Ack: 628, Len: 100

Source port: http (80)
Destination port: 50374 (50374)
[Stream index: 15]
Sequence number: 1    (relative sequence number)
[Next sequence number: 101    (relative sequence number)]
Acknowledgement number: 628    (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
    000. .... .... = Reserved: Not set
    ...0 .... .... = Nonce: Not set
    .... 0... .... = Congestion Window Reduced (CWR): Not set
    .... .0.. .... = ECN-Echo: Not set
    .... ..0. .... = Urgent: Not set
    .... ...1 .... = Acknowledgement: Set
    .... .... 1... = Push: Set
    .... .... .0.. = Reset: Not set
    .... .... ..0. = Syn: Not set
    .... .... ...0 = Fin: Not set
Window size value: 3547
[Calculated window size: 7094]
[Window size scaling factor: 2]
Checksum: 0x248e [validation disabled]
    [Good Checksum: False]
    [Bad Checksum: False]
[SEQ/ACK analysis]
    [Bytes in flight: 100]
TCP segment data (100 bytes)

One Answer:

The TCP protocol preference "Allow Subdissector to reassemble TCP streams" is enabled. This means that any protocol than runs atop TCP can tell TCP to collect more data until it has a full PDU. In the case of HTTP, the HTTP dissector will try to collect a full HTTP response before showing it.

In the hex data that you supplied, the full HTTP header is visible. However, there is no "Content-Length" header and no "Transfer-Encoding: Chunked" header. This means the end of the HTTP PDU is when the TCP connection gets closed by the FIN packets. If the FIN packets are not in the trace, then Wireshark has no way of knowing that the HTTP response is complete and will keep trying to collect data until it sees the FIN.

You can make Wireshark show the HTTP response straight away by disabling the "Allow Subdissector to reassemble TCP streams" in the TCP protocol preferences.

 

参考：

1、TCP通信流程解析

https://blog.csdn.net/phunxm/article/details/5836034

2、TCP segment of a reassembled PDU

http://www.cnblogs.com/tomato0906/articles/3991388.html