HTTP  Continuation or non-HTTP traffic 数据包

网络抓包时对http数据包进行分析，由于一般情况下见到的HTTP包为：

GET / HTTP/1.1

Host: 192.168.4.83

Accept: */*

……

HTTP/1.1 200 OK

Date: Thu, 22 Dec 2011 02:40:35 GMT

Server: Apache/2.2.4 (Win32) 

页面具体文本及内容

……

发现一个 HTTP      Continuation or non-HTTP traffic的数据包，之前没有碰到过。不懂其意义，一看长度，显示1460，与TCP segment of a reassembled PDU有点类似，对于这个字段的意义，GOOGLE了一会，发现有如下的解释：

--------------------------------------------------------------------------------------------------

On Mon, May 29, 2006 at 12:37:41PM +0200, Pierre-Yves LE BIHAN wrote:

>

> I've analysed traffic between a W200 workstation and a W2K3 server;

> I find frames with this information "continuation or non-http traffic".

 

That means ethereal sees packets on tcp port 80 which don't contain an http header. This is quite common, since many http-objects are larger than 1 tcp packet. Hence the comment "Continuation". You can probably see an http-packet before those "continuations".

It also means you have some re-assembly settings turned off. Either the "reassemble http headers" and "reassemble http bodies" options are turned off in the http protocol preferences and/or the "allow subdissector to reassemble tcp streams" option is turned off in the tcp protocol preferences.

If they were all turned on, you would have seen "tcp segment of a eassembled PDU" frames, ending in a http frame, containing the

whole http-request or http-response.

--------------------------------------------------------------------------------------------------------

 

我的理解是由于发送的HTTP对象大小超过了一个tcp数据包的MSS（一般情况下这个值为1460），所以需要分多个包进行传输，相应的包因此标记成“HTTP   Continuation or non-HTTP traffic”字样。比如TCP包被标记为TCP segment of a reassembled PDU一样。

 

另外说的是你的抓包软件的设置了，如果你把上述加粗字样的选项（不同的软件可能名字不一样）都开启，那么在显示可能就不一样了.在wireshark中的设置如图所示：

首先在菜单上选择 edit–>Preferences->Protocols->HTTP

 

看一下选项设置的意思，就可以按照你的想法进行设置了。

Ethereal-users mailing list

Ethereal-users [at] ethereal

 

看来自己碰到的问题还是比较少，对wireshark这一利器的使用还有很多不熟悉的地方，有熟悉的朋友大家可以一起讨论讨论相关技巧，分析数据包更加快速和高效，积累一个数据包的库也是不错的。