HTTP Continuation or non-HTTP traffic 数据包

网络抓包时对http数据包进行分析，由于一般情况下见到的HTTP包为：

GET / HTTP/1.1

Host: 192.168.4.83

Accept: */*

……

HTTP/1.1 200 OK

Date: Thu, 22 Dec 2011 02:40:35 GMT

Server: Apache/2.2.4 (Win32)

页面具体文本及内容

……

发现一个 HTTP Continuation or non-HTTP traffic的数据包，之前没有碰到过。不懂其意义，一看长度，显示1460，与TCP segment of a reassembled PDU有点类似，对于这个字段的意义，GOOGLE了一会，发现有如下的解释：

--------------------------------------------------------------------------------------------------

That means ethereal sees packets on tcp port 80 which don't contain
an http header. This is quite common, since many http-objects are
larger than 1 tcp packet. Hence the comment "Continuation". You can
probably see an http-packet before those "continuations".

It also means you have some re-assembly settings turned off. Either
the "reassemble http headers" and "reassemble http bodies" options
are turned off in the http protocol preferences and/or the "allow
subdissector to reassemble tcp streams" option is turned off in the
tcp protocol preferences.

If they were all turned on, you would have seen "tcp segment of a
reassembled PDU" frames, ending in a http frame, containing the
whole http-request or http-response.

--------------------------------------------------------------------------------------------------------

我的理解是由于发送的HTTP对象大小超过了一个tcp数据包的MSS（一般情况下这个值为1460），所以需要分多个包进行传输，相应的包因此标记成“HTTP Continuation or non-HTTP traffic”字样。比如TCP包被标记为TCP segment of a reassembled PDU一样。

另外说的是你的抓包软件的设置了，如果你把上述加粗字样的选项（不同的软件可能名字不一样）都开启，那么在显示可能就不一样了.在wireshark中的设置如图所示：

首先在菜单上选择 edit–>Preferences->Protocols->HTTP

http://pic002.cnblogs.com/images/2011/362424/2011122313070014.pngContinuation or non-HTTP traffic 数据包" />

看一下选项设置的意思，就可以按照你的想法进行设置了。

Ethereal-users mailing list
Ethereal-users [at] ethereal
http://www.ethereal.com/mailman/listinfo/ethereal-users

看来自己碰到的问题还是比较少，对wireshark这一利器的使用还有很多不熟悉的地方，有熟悉的朋友大家可以一起讨论讨论相关技巧，分析数据包更加快速和高效，积累一个数据包的库也是不错的。