Re: Decode TCP trame cup into different parts

[Guy Harris <guy () alum mit edu>]

On Jan 7, 2010, at 4:03 AM, Olivier-externe GERAULT wrote:

> I would like to analyze paquets sent and received but they are cut into many parts and WireShark seems not able to 
> understand the entire message. 
> For example, in the "Follow TCP Stream", I get the result: 

        {HTTP POST request}

> I can see that it is a SOAP response and the begining of the message in quite clear. 
> But, the 2nd paquet is not decoded and I don't knwo how to read it. 

What do you mean by "packet" here?  That might be two or more TCP segments, but it appears to be a *single* HTTP POST 
request.  It says

        Content-Encoding: gzip

which means that the data in the POST request is gzipped; that's why what comes after

        Content-Length: 190

and the blank line following the Content-Length line is a bunch of binary data.

What does Wireshark show in the packet summary pane?  If it's doing reassembly of HTTP headers and data, it should show 
an HTTP POST, and if you click on that, it should show the entire packet - and possibly even unzip the compressed data 
and show the XML.

> It there an option in WireShark?

There are options for the HTTP dissector (select Edit -> Preferences, open up the Protocols list, and select HTTP) for 
"Reassemble HTTP headers spanning multiple TCP segments" and "Reassemble HTTP bodies spanning multiple TCP segments"; 
make sure those options, and "Uncompress entity bodies", are all on (checked).  (Also make sure "Reassemble chunked 
transfer-coded bodies" is on, although that won't affect that *particular* HTTP message.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe