Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] TCP problem

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 19 Jun 2008 21:04:25 +0200
On Thu, Jun 19, 2008 at 11:46:01PM +0530, Sabyasachi Samal wrote:

> I am having one problem while sending SIP messages over TCP transport. Some
> times wireshark shows
> 
> [Unreassembled Packet [incorrect TCP checksum]: SIP] . Why this error is
> coming?
> 
> At other side it displays [TCP segment of a reassembled PDU]. Please let me
> know what does this mean and in which situation it is coming.

If you look at your traces, you see that in trace UE.cap, every packet
that was sent from 11.22.22.1 has a faulty TCP checksum. This usually
happens when the capture was made on the sending host when the sending
host does TCP checksum offloading.
(see: http://wiki.wireshark.org/TCP_checksum_offload)

You can disable checksum verification in the TCP protocol preferences to
prevent these frames from being marked.

> How to avoid this. Currently some times two requests are merged to one
> packet.

The merger of two frames into one is called "TCP reassembly". Since 
TCP is a streaming protocol, it has no knowledges on where a protocol
data unit (PDU) of a higher protocol starts or finished. It just 
transports the data it is given. Because there is a maximum size
that packet can have on the network, the higher protocol PDU
sometimes need to be cut in parts for transport accross the network.
Wireshark can reconstruct the whole PDU, that's why you see
"[TCP segment of a reassembled PDU]" on one packet and then the 
whole PDU in the next packet. When the checksum of a packet is
bad, the reassembly is broken (because a bad checksum usually means
that the data is corrupt). But the dissector knows that the data
belongs to a PDU that spans multiple packets. That's when you see
"[Unreassembled Packet [incorrect TCP checksum]: SIP]".

> Sending the trace for both sides please have a look and let me know how to
> get rid of this.

If you want to see each packet as it was on the network without 
reassembling the higher layer PDU's, you can disable reassmbly
by unchecking "Allow subdissector to reassemble TCP streams" in 
the TCP protocol preferences.

Hope this helps,
Cheers,
    Sake