6

Trying to determine if a user actually downloaded an executable file from a website. I examined the pcap and I see that the Content-Length field = 784,536 but the Server->User is 430,380 bytes. This tells me that the user did not fully download the file. I also downloaded the file myself and see that it is 766 KB. Is it possible that the content-length value based on the HTTP header will not be EQUAL TO the file size of that EXE file if it is downloaded (the local file size)? Is this correct?

Packet Capture Data (I can't post screenshots)

GET /ChromasLite211Setup.exe HTTP/1.1
Host: www.technelysium.com.au
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Firefox/17.0
Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Enconding: gzip, deflate
Connection: keep-alive
Referrer: http://technelysium.com.au/

HTTP/1.1 200 OK
Date: Thu, 01 Aug 2013 17:28:17 GMT
Server: Apache
Last-Modified: Mon, 15 Apr 2013 08:29:57 GMT
Accept-Ranges: bytes
Content-Length: 784536
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload

MZP........................@.............................!..L..This program must be run under Win32


Entire Conversation (430722 bytes)
Users IP -> Server IP (342 bytes)
Server IP -> Users IP (430380)

When I download the file from the site it shows as, "Binary FIle (766 KB)"

user2661503
  • 115
  • 1
  • 1
  • 7

2 Answers2

13

Converting Bytes to Kilobytes

784,536/1024 = 766.14
bastos.sergio
  • 6,684
  • 4
  • 26
  • 36
  • Right. So, when I download the file myself, I see that it's 766KB. But then how come the pcap doesn't show the Entire Conversation = Content-Length? Does this mean it didn't download? Does the file size have to match the content-length? – user2661503 Aug 07 '13 at 17:18
  • 2
    I'm not sure I understand your question... The Content-Length is an indication of how big a response (file) to expect from the server... It has no bearing on whether the download transferred successfully... Some servers don't even reply with a content-length or set content-length to zero (that's why on downloads we sometimes see the download time/status as unknown since the browser has no way of knowing how big a file it is getting...) – bastos.sergio Aug 07 '13 at 21:45
  • Yes, the size of the transferred file should be exactly the same as the bytes in the Content-Length. There are a few things that could change it, i.e.: If it's being sent in gzip encoding, then the # of bytes transferred won't equal the resulting unzipped file size (of course), but the Content-Length header MUST show the exact number of bytes in the HTTP Response Body. If there is NO Content-Length header, then it may be using something like chunked-encoding. A Content-Length: 0 header means that 0 bytes MUST be sent. – Kylar Aug 11 '13 at 15:24
0

No. The user did not download all the bytes.

If a server sends a Content-Length header, that is exactly how many bytes of content it intends to send as the HTTP Response Body. If less than that number was sent, then something happened (Client terminated connection, Client timed out, etc.)

Kylar
  • 8,876
  • 8
  • 41
  • 75