Revision history [back]
No server pkts when following HTTP Stream
What is the difference between follow TCP Stream and follow HTTP Stream?
I'm investigating what we think is a badly configured BigF5 device, but struggling to make sense of the wireshark (windows 64bit version 3.0.0) capture. We've used the following display filter: 'http and http contains "Authorization: NTLM"' This yields a number of GET Request and if I pick one of these now and select Follow HTTP Stream then I see: 145 client pkts, 2 server pkts, 4 turns.
In there are 145 GET requests and 2 server responses:
1 Client GET request
1 Server response
1 Client GET request
1 Server response
143 Client GET requests without server responses
However if I select follow "TCP Stream" on the same original request then I see the client requests and the server responses. 145 client pkts, 247 server pkts, 285 turns
Now that I'm writing this question I can see that the missing server responses seems to be the "304 Not Modified" responses.
Does follow "HTTP Stream" exclude all 304 Not Modified responses sent by the server?