On Monday, August 25, 2003, at 7:25 PM, li wrote:
I use Ethereal to decode NetMeeting packet, NetMeeting always send
TPKT header first which contain the PDU length, then wait for the ACK,
after get the ACK, it will send the H.225 signalling to establish the
connection.
Client Server
------------------------> send TPKT header
<----------------------- send ACK
------------------------>send H.225 Setup(contain PDU)
Ethereal decode first packet "Desegmented TCP", and merge the third
packet with the first packet, which mean insert TPKT header, then
decode it as:
[incomplete image, which didn't say anything about a "Fragment Offset"]
but the third packet's "Fragment Offset" is 0, why insert this header?
The header is inserted because the TPKT dissector considers a TPKT
packet to consist of the TPKT header and the TPKT payload. There is no
guarantee that you will get the TPKT header in one frame and the TPKT
payload in the next frame - you could get them both in one frame, or
you could get the TPKT header and part of the TPKT payload in one frame
and the rest of the TPKT payload in subsequent frames. You could even,
conceivably, get part of the TPKT header in one frame and the rest of
the TPKT header, and the TPKT payload, in subsequent frames.
Therefore, the TPKT dissector reassembles the TPKT header and payload
as a single unit; this means that the TPKT header and payload will be
dissected in the third frame.
