Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 5667] TCP segment of a reassembled PDU

Wireshark-bugs: [Wireshark-bugs] [Bug 5667] TCP segment of a reassembled PDU

Date: Tue, 8 Feb 2011 22:45:29 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5667

--- Comment #3 from chris.groothoff@xxxxxxxxxxxx 2011-02-08 22:45:25 PST ---
(In reply to comment #1)
> What is the problem you're having?  Applications frequently use TCP reassembly
> and this is shown in Wireshark.  Is Wireshark not displaying them properly?

Stephen,

I am having an issue with RDP and whilst reviewing the captures I discovered
blocks of TCP reassembly entries. After looking at some of the forum comments I
found a number of references indicating that this could be an issue with
Wireshark and to log a case. It is quite possible that this is normal behaviour
and I am not reading the logs correctly.

An extract from the log with the subdissector option checked:
      1 0.000000    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
      2 0.000111    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=1 Ack=4294966761 Win=62953 Len=0
      3 0.000208    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=1 Ack=481 Win=64240 Len=0
      4 0.027650    10.30.120.50          10.30.10.61           HTTP     GET
http://www.roscocanoes.com.au/images/Rosco-tile.jpg HTTP/1.1 
      5 0.043435    10.30.120.50          10.30.10.61           HTTP     GET
http://www.roscocanoes.com.au/images/searchbg.gif HTTP/1.1 
      6 0.046769    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
      7 0.047070    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
      8 0.047167    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
      9 0.047261    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     10 0.047356    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     11 0.047458    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     12 0.047554    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     13 0.047649    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     14 0.047744    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     15 0.047839    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     16 0.047934    10.30.10.61           10.30.120.50          HTTP    
HTTP/1.1 200 OK  (JPEG JFIF image)
     17 0.048029    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=1553 Win=63168 Len=0
     18 0.048297    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=2625 Win=64240 Len=0
     19 0.048390    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=3697 Win=63168 Len=0
     20 0.048484    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=4769 Win=64240 Len=0
     21 0.048578    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=5841 Win=63168 Len=0
     22 0.079197    10.30.120.50          10.30.10.61           HTTP     GET
http://www.roscocanoes.com.au/adm/thumbnailer.aspx?src=/prodImg/28212909.jpg&bgcolor=FFFFFF&width=220&height=110
HTTP/1.1 
     23 0.084028    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     24 0.084222    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]
     25 0.084320    10.30.10.61           10.30.120.50          TCP      [TCP
segment of a reassembled PDU]

With the subdissector disabled:
      1 0.000000    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
      2 0.000111    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=1 Ack=4294966761 Win=62953 Len=0
      3 0.000208    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=1 Ack=481 Win=64240 Len=0
      4 0.027650    10.30.120.50          10.30.10.61           HTTP     GET
http://www.roscocanoes.com.au/images/Rosco-tile.jpg HTTP/1.1 
      5 0.043435    10.30.120.50          10.30.10.61           HTTP     GET
http://www.roscocanoes.com.au/images/searchbg.gif HTTP/1.1 
      6 0.046769    10.30.10.61           10.30.120.50          HTTP    
HTTP/1.1 200 OK  (JPEG JFIF image)[Unreassembled Packet] 
      7 0.047070    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
      8 0.047167    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
      9 0.047261    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     10 0.047356    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     11 0.047458    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     12 0.047554    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     13 0.047649    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     14 0.047744    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     15 0.047839    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     16 0.047934    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     17 0.048029    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=1553 Win=63168 Len=0
     18 0.048297    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=2625 Win=64240 Len=0
     19 0.048390    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=3697 Win=63168 Len=0
     20 0.048484    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=4769 Win=64240 Len=0
     21 0.048578    10.30.120.50          10.30.10.61           TCP      62209
> http-alt [ACK] Seq=564 Ack=5841 Win=63168 Len=0
     22 0.079197    10.30.120.50          10.30.10.61           HTTP     GET
http://www.roscocanoes.com.au/adm/thumbnailer.aspx?src=/prodImg/28212909.jpg&bgcolor=FFFFFF&width=220&height=110
HTTP/1.1 
     23 0.084028    10.30.10.61           10.30.120.50          HTTP    
HTTP/1.1 200 OK  (GIF89a)
     24 0.084222    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic
     25 0.084320    10.30.10.61           10.30.120.50          HTTP    
Continuation or non-HTTP traffic

The other interesting attribute is  that all these segements/packets are 590
bytes in size.

If Wireshark is reporting correctly, I am happy, but I would like to understand
what it is trying to tell me.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
References:
- [Wireshark-bugs] [Bug 5667] New: TCP segment of a reassembled PDU
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 5669] New Coloring Rule added with lowest priority
Next by Date: [Wireshark-bugs] [Bug 5665] On Ubuntu 10.10 AMD64, wireshark can not be build
Previous by thread: [Wireshark-bugs] [Bug 5667] TCP segment of a reassembled PDU
Next by thread: [Wireshark-bugs] [Bug 5667] TCP segment of a reassembled PDU
Index(es):
- Date
- Thread