[Winpcap-users] Http addressing with Ethereal

Guy Harris guy at alum.mit.edu
Tue Jul 3 23:56:56 GMT 2007


On Jul 3, 2007, at 1:07 PM, ceo at triplebit.com wrote:

> When I try to trace Ethereal tcp packets containing HTTP protocol, I  
> see that the addressing (in the first column), do not follow the  
> addressing of the whole packet but its specific to the HTTP data.

This is a Wireshark (the new name for Ethereal, as of a little over a  
year ago) issue, not a WinPcap issue; I'm redirecting it to the  
wireshark-users mailing list, which is the list where questions about  
Wireshark should be asked.  Further discussion should take place on  
that list.  See

	http://www.wireshark.org/lists/

for information on Wireshark mailing lists.

What do you mean by "follow the addressing of the whole packet" and  
"specific to the HTTP data"?

The first column is probably the frame number, and the second column  
is usually the packet time stamp.  Do you mean the third column?  If  
so, that's usually the source IP address, which would be the IP  
address that sent the packet; IP has no idea whether it's sending HTTP  
or not.  An IP datagram has an IP address; there is no notion that  
part of one IP datagram has one IP address and another part has  
another address, so the only addressing is "the addressing of the  
whole packet" - there's no addressing specific to the HTTP data.


More information about the Winpcap-users mailing list