Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] question about TCP flag DESEGMENT_UNTIL_FIN

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 01 Aug 2007 11:37:29 -0700

yin sun wrote:

Hello,
I found out that,
When a subdissector on top of TCP set if (pinfo->can_desegment) { 
        pinfo->desegment_len = DESEGMENT_UNTIL_FIN;
        return;
    }
when pinfo->can_desegment is 0 again, subdissector received the whole TCP stream in tvb minus the payload from the FIN packet. 

Is this by design? or by mistake?
As I noted in the bug you filed, at least as I read RFC 793, it appears to say that SYN and FIN segments can have data:
For sequence number purposes, the SYN is considered to occur before the first actual data octet of the segment in which it occurs, while the FIN is considered to occur after the last actual data octet in a segment in which it occurs.
so, unless I've misread the RFC, if it's by design, it's a design error - the reassembly code should process payload in a FIN segment.
  • Prev by Date: Re: [Wireshark-dev] bug in SHIM6 control message - UPD REQ and UPD ACK
  • Next by Date: Re: [Wireshark-dev] Possible Bug: Wireshark hangs on File/Save, File/SaveAs, File/Open
  • Previous by thread: Re: [Wireshark-dev] Possible Bug: Wireshark hangs on File/Save, File/SaveAs, File/Open
  • Next by thread: [Wireshark-dev] review_for_checkin requested: [Bug 1723] Enhamcement of text2cap for parsing flexibility
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation