The stream id of the http2 protocol "Frame Type => DATA" is incorrect

[huaixia777]

After fixing #733 issue, i tried to use ecapture and wireshark to capture http2 protocol packets at the same time, and found that the stream id of data Frame, that is, "Frame Type=>DATA", was incorrect.
The following is the packet that I captured.
It can be seen that the stream id of data frame in wireshark is 1. However, streamid output of data frame with the same content in ecapture is 3.
Can this problem be solved? Thank you very much!

ecapture，because the content is too long, some content is omitted

{"time":"2025-02-14T11:20:59+08:00","message":"UUID:2578_2578_nginx_10_1_192.168.20.38:53790-192.168.10.201:5443, Name:HTTP2Response, Type:4, Length:22401

Frame Type	=>	SETTINGS
Frame StreamID	=>	0

Frame Type	=>	WINDOW_UPDATE
Frame StreamID	=>	0

Frame Type	=>	SETTINGS
Frame StreamID	=>	0

Frame Type	=>	HEADERS
Frame StreamID	=>	1
header field ":status" = "200"
header field "server" = "nginx"
header field "date" = "Fri, 14 Feb 2025 03:20:58 GMT"
header field "content-type" = "text/html"
header field "last-modified" = "Tue, 05 Nov 2024 06:42:06 GMT"
header field "vary" = "Accept-Encoding"
header field "etag" = "W/\\"6729be3e-28b1\\""
header field "cache-control" = "private, no-store, no-cache, must-revalidate, proxy-revalidate"
header field "x-frame-options" = "SAMEORIGIN"
header field "x-content-type-options" = "nosniff"
header field "x-xss-protection" = "1; mode=block"
header field "strict-transport-security" = "max-age=31536000; includeSubdomains;"
header field "x-permitted-cross-domain-policies" = "none"
header field "referrer-policy" = "strict-origin-when-cross-origin"
header field "content-security-policy" = "script-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;img-src  'self' 'unsafe-inline' data: blob:; style-src 'self' 'unsafe-inline'; worker-src 'self' 'unsafe-inline' * blob:; font-src 'self' 'unsafe-inline' data: blob:;"
header field "x-downlaod-options" = "noopen"
header field "content-encoding" = "gzip"

Frame Type	=>	HEADERS
Frame StreamID	=>	3
header field ":status" = "200"
header field "server" = "nginx"
header field "date" = "Fri, 14 Feb 2025 03:20:58 GMT"
header field "content-type" = "application/javascript"
header field "last-modified" = "Tue, 05 Nov 2024 06:42:06 GMT"
header field "vary" = "Accept-Encoding"
header field "etag" = "W/\\"6729be3e-b944\\""
header field "x-frame-options" = "SAMEORIGIN"
header field "x-content-type-options" = "nosniff"
header field "x-xss-protection" = "1; mode=block"
header field "strict-transport-security" = "max-age=31536000; includeSubdomains;"
header field "x-permitted-cross-domain-policies" = "none"
header field "referrer-policy" = "strict-origin-when-cross-origin"
header field "content-security-policy" = "script-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;img-src  'self' 'unsafe-inline' data: blob:; style-src 'self' 'unsafe-inline'; worker-src 'self' 'unsafe-inline' * blob:; font-src 'self' 'unsafe-inline' data: blob:;"
header field "x-downlaod-options" = "noopen"
header field "content-encoding" = "gzip"

Frame Type	=>	DATA
Frame StreamID	=>	3
<!DOCTYPE html>
<html lang="en">

  <head>
    <meta charset="utf-8" />
    <meta x-v="v3.0.0" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width,initial-scale=1.0" />
    <link rel="icon" href="/favicon.ico" />

    <meta http-equiv="cache-control" content="no-cache" />
    <meta http-equiv="pragma" content="no-cache" />

    <style>
      .notice-browser * {
        font-family: "微软雅黑" !important;
        line-height: 1;
      }

      .notice-browser {
        position: absolute;
        top: 50%;
        left: 50%;
        z-index: 1000000;
        width: 520px;
        height: 310px;
        margin-top: -155px;
        margin-left: -260px;
        background-color: #fff;
        border-radius: 20px;
      }

      .notice-browser-title {
        margin-top: 36px;
        margin-left: 42px;
        color: #333;
        font-size: 22px;
      }

     ……

** @wireshark**

#

[dosubot]

Hi @huaixia777! I'm here to help you with any bugs, questions, or contributions. Let me know how I can assist you!

The issue you're experiencing with the incorrect stream ID for HTTP/2 DATA frames in ecapture might be related to how ecapture associates DATA frames with their corresponding HEADERS frames using the StreamID. In the ecapture codebase, the StreamID is used to track and associate frames, as seen in the Display method of the HTTP2Response struct ^[1].

To address this discrepancy, you might want to verify the logic in the code that handles the assignment and tracking of StreamIDs for HTTP/2 frames. Ensure that the StreamID is correctly maintained and updated throughout the processing of frames. It could be helpful to compare the logic with how Wireshark handles StreamIDs to identify any differences or potential issues in ecapture's implementation.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[yuweizzz]

this maybe the correct stream id is overwritten by the follow one, see here.

I will try to fix it.

[yuweizzz]

After the local test, I believe the reason is the current code merge all data frame together, and use the last stream id as the output.

So in pcap, you will see more than 3 data frame, but in text mode, it may has a single data frame.

It is a design question. What do you think about it? Is it better to merge or just output one by one?

[huaixia777]

Oh, thank you. I see what you mean. Can this be repaired?

[yuweizzz]

I think it is possible to fix; I will try to find a better solution.