'Re: [Wireshark-users] HTTP2 stream id detection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] HTTP2 stream id detection
From:       Jeff Morriss <jeff.morriss.ws () gmail ! com>
Date:       2019-03-05 14:34:06
Message-ID: CAKkq+FacB3OtrrCcYife7nL=K4q1Cst9+OKgUhTwtSeuip+JTA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Raj,

For better or worse, a lot of folks have moved over to the Q&A site:
ask.wireshark.org ; there's not much traffic on the -users list anymore.

What are you trying to achieve?

The reason there are only 12 frames marked as HTTP2 is because the other
frames are marked as [TCP segment of a reassembled PDU] - meaning that
Wireshark realizes that the frame is part of a larger (multi-frame) message
and so it's only going to dissect the reassembled frame as HTTP2.  This
means you should be able to get all the data on that (large) later frame.

With other dissectors (including HTTP) you can get away with disabling
reassembly (by disabling the TCP preference that allows subdissectors to
reassemble) but with HTTP2 (at least with this trace) the HTTP2 dissector
doesn't seem very happy with the result (there are lots of malformed
packets).  I'd actually expect the HTTP2 dissector to just say, for
example, "Continuation" (or similar) in this case.

I don't know enough about HTTP2 if there's any reason this isn't done with
this dissector too; you could consider opening a bug report (
https://bugs.wireshark.org ) about it.

Regards,
-Jeff

On Mon, Mar 4, 2019 at 5:33 PM Rajvardhan Deshmukh <rdeshmukh@umass.edu>
wrote:

> Hi all,
> 
> This email might have slipped through.
> 
> I was wondering if anyone could help me with the following problem.
> 
> I am trying to get the HTTP/2 stream id (so use h2c (clear-text)) from
> the trace for the experiment that i have run.
> The experiment is communication between mptcp capable nodes.
> 
> I use the libcurl based client which allows me to downloaded 2 files
> (video of 2 second) in parallel
> ( video segment #1
> 
> http://10.10.3.2:9001/www-itec.uni-klu.ac.at/ftp/datasets/DASHDataset2014/BigBuckBunny/2sec/bunny_4219897bps/BigBuckBunny_2s13.m4s
>  video segment #2
> 
> http://10.10.3.2:9001/www-itec.uni-klu.ac.at/ftp/datasets/DASHDataset2014/BigBuckBunny/2sec/bunny_3526922bps/BigBuckBunny_2s13.m4s
>  )
> 
> here is the tcpdump trace
> https://umass.box.com/s/2n7st4012vwp8yirddd23pnexho3trxf
> 
> 
> Wireshark trace analysis step:
> 1. Edit > Preferences > Protocols > HTTP2 > HTTP2 TCP port 9001
> 
> i see multiple tcp and mptcp packets but, only 12 HTTP/2 packets
> (verified that the video segments use 2 different streams)
> on one interface and none on the other interface.
> 
> I need the HTTP/2 stream number which is only visible in HTTP/2
> packets to differentiate if the packet belongs to
> video segment #1 or the  video segment#2 . With what i have right now,
> i can't differentiate if the segment belongs to
> video segment #1 or video segment #2.
> 
> Let me know if you can direct me to someone who can help.
> I have gotten in touch with libcurl folks and they suggested that i ask
> the wireshark-forum.
> 
> 


[Attachment #5 (text/html)]

<div dir="ltr"><div>Hi Raj,</div><div><br></div><div>For better or worse, a lot of \
folks have moved over to the Q&amp;A site: <a \
href="http://ask.wireshark.org">ask.wireshark.org</a> ; there&#39;s not much traffic \
on the -users list anymore.<br></div><div><br></div><div>What are you trying to \
achieve?</div><div><br></div><div>The reason there are only 12 frames marked as HTTP2 \
is because the other frames are marked as [TCP segment of a reassembled PDU] - \
meaning that Wireshark realizes that the frame is part of a larger (multi-frame) \
message and so it&#39;s only going to dissect the reassembled frame as HTTP2.   This \
means you should be able to get all the data on that (large) later \
frame.<br></div><div><br></div><div>With other dissectors (including HTTP) you can \
get away with disabling reassembly (by disabling the TCP preference that allows \
subdissectors to reassemble) but with HTTP2 (at least with this trace) the HTTP2 \
dissector doesn&#39;t seem very happy with the result (there are lots of malformed \
packets).   I&#39;d actually expect the HTTP2 dissector to just say, for example, \
&quot;Continuation&quot; (or similar) in this case.</div><div><br></div><div>I \
don&#39;t know enough about HTTP2 if there&#39;s any reason this isn&#39;t done with \
this dissector too; you could consider opening a bug report ( <a \
href="https://bugs.wireshark.org">https://bugs.wireshark.org</a> ) about \
it.</div><div><br></div><div>Regards,</div><div>-Jeff<br></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 4, 2019 at 5:33 PM \
Rajvardhan Deshmukh &lt;<a \
href="mailto:rdeshmukh@umass.edu">rdeshmukh@umass.edu</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br> <br>
This email might have slipped through.<br>
<br>
I was wondering if anyone could help me with the following problem.<br>
<br>
I am trying to get the HTTP/2 stream id (so use h2c (clear-text)) from<br>
the trace for the experiment that i have run.<br>
The experiment is communication between mptcp capable nodes.<br>
<br>
I use the libcurl based client which allows me to downloaded 2 files<br>
(video of 2 second) in parallel<br>
( video segment #1<br>
<a href="http://10.10.3.2:9001/www-itec.uni-klu.ac.at/ftp/datasets/DASHDataset2014/BigBuckBunny/2sec/bunny_4219897bps/BigBuckBunny_2s13.m4s" \
rel="noreferrer" target="_blank">http://10.10.3.2:9001/www-itec.uni-klu.ac.at/ftp/data \
sets/DASHDataset2014/BigBuckBunny/2sec/bunny_4219897bps/BigBuckBunny_2s13.m4s</a><br> \
video segment #2<br> <a \
href="http://10.10.3.2:9001/www-itec.uni-klu.ac.at/ftp/datasets/DASHDataset2014/BigBuckBunny/2sec/bunny_3526922bps/BigBuckBunny_2s13.m4s" \
rel="noreferrer" target="_blank">http://10.10.3.2:9001/www-itec.uni-klu.ac.at/ftp/data \
sets/DASHDataset2014/BigBuckBunny/2sec/bunny_3526922bps/BigBuckBunny_2s13.m4s</a><br> \
)<br> <br>
here is the tcpdump trace<br>
<a href="https://umass.box.com/s/2n7st4012vwp8yirddd23pnexho3trxf" rel="noreferrer" \
target="_blank">https://umass.box.com/s/2n7st4012vwp8yirddd23pnexho3trxf</a><br> <br>
<br>
Wireshark trace analysis step:<br>
1. Edit &gt; Preferences &gt; Protocols &gt; HTTP2 &gt; HTTP2 TCP port 9001<br>
<br>
i see multiple tcp and mptcp packets but, only 12 HTTP/2 packets<br>
(verified that the video segments use 2 different streams)<br>
on one interface and none on the other interface.<br>
<br>
I need the HTTP/2 stream number which is only visible in HTTP/2<br>
packets to differentiate if the packet belongs to<br>
video segment #1 or the   video segment#2 . With what i have right now,<br>
i can&#39;t differentiate if the segment belongs to<br>
video segment #1 or video segment #2.<br>
<br>
Let me know if you can direct me to someone who can help.<br>
I have gotten in touch with libcurl folks and they suggested that i ask <br>
the wireshark-forum.<br>
<br></blockquote></div></div>


[Attachment #6 (text/plain)]

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic