locked
HttpIncompletePayload RRS feed

  • Question

  • Hi All,

    When sniffing the download of a JPG from a web server. The 1st few packets list as follows in the Frame Summary:

    Http: HTTP Payload, URL: /cf320896-3df3-41a3-ba2a-dc5518399976.jpg - JPEG: Size=1460

    Http: HTTP Payload, URL: /cf320896-3df3-41a3-ba2a-dc5518399976.jpg - JPEG: Size=1460

    Http: HTTP Payload, URL: /cf320896-3df3-41a3-ba2a-dc5518399976.jpg

    Http: HTTP Payload, URL: /cf320896-3df3-41a3-ba2a-dc5518399976.jpg

    The TCP Payload length in all the packets remain consistent (1460) , but the last two are listed as "HttpIncompletePayload" in the HTTP section of the FrameDetails.

    http://66.59.75.99/cf320896-3df3-41a3-ba2a-dc5518399976.jpg

    Can someone explain why these Frames are listed as HttpIncompletePayload please?

    Thanks
    Warrick

    Friday, November 4, 2011 3:17 PM

All replies

  • Hi Warrick,

    What version of the parsers do you have?  You can find this in the Parser Profile Options screen.


    Michael Hawker | Program Manager | Network Monitor
    Monday, November 7, 2011 3:45 PM
  • Also keep in mind that HTTP will add HttpIncompletePayload when see's an HTTP segment that is partial.  This will happen when the HTTP packet is fragmented.  To see the entire payload, you'll need to save the trace and reassemble it.

    Thanks,

    Paul

    Monday, November 7, 2011 4:14 PM
  • Looks like I'm using 3.4.2350.0
    Monday, November 7, 2011 6:04 PM
  • Thanks, but technically any HTTP response that can't fit into a single packet would then be classified as incomplete would it not? I guess I'm a little confused as to what's meant by a partial HTTP segment. If the web server is responding with 100K of data and that's being broken into 1460 byte chunks .. wouldn't all packets be marked as HttpIncompletePayload ?
    Monday, November 7, 2011 6:11 PM
  • I would suggest downloading the latest parsers from http://nmparsers.codeplex.com/; however, based on Paul's comment, you'll probably see the same result.

    If you hit the "Reassemble" button, you'll be able to find the complete payload.

    Maybe it would make more sense if we called it "HttpPartialPayload" instead of Incomplete?


    Michael Hawker | Program Manager | Network Monitor
    Monday, November 7, 2011 6:16 PM
  • Thanks, I upgraded my parsers and this did seem to fix the issue. I'm still not clear on how these reassembled packets are displayed. The window that's opened and is intended to show the reassembled data seem to contain the same list of packets? I seem to remember reading a tutorial that said one should expect to find a new packet in the list somehow.
    Monday, November 7, 2011 6:40 PM
  • You can filter for 'PayloadHeader' to see the complete reassembled frames.
    Michael Hawker | Program Manager | Network Monitor
    Monday, November 7, 2011 6:48 PM
  • Not sure I follow. I see "http.payload" but 'PayloadHeader' doesn't seem to be a valid filer name.


    What would be a nice addition would be to have a comment auto added to the Display Filter window when the reassembled window is created. That way people would easily be able to see how to filter for this. Or even a Standard filter.

     

    Thanks again

    Warrick

    Monday, November 7, 2011 7:00 PM
  • Hi Warrick,

    You might want to check out Paul's blog here: http://blogs.technet.com/b/netmon/archive/2010/11/04/reassembly-made-easier.aspx

    This gives some tips and filters on how to use reassembly.


    Michael Hawker | Program Manager | Network Monitor
    Tuesday, November 8, 2011 4:28 PM