Wireshark-dev: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Follow
From: Selçuk Cevher <[email protected]>
Date: Thu, 13 Aug 2009 09:52:57 +0300
Hi All,

I am new to Wireshark development and, at this stage, mostly interested in inner workings of Wireshark.

First, I want to make sure that what I currently know about Wireshark is correct.

In section 9.4.2 "How to reassemble split TCP Packets" of Wireshark's development guide, I saw that an application layer message can be carried in a single TCP packet or multiple ones.

If there are multiple TCP packets carrying an application protocol message, the application protocol's header is contained only in the first TCP packet - The remaining packets have application data only.

In this case, to properly dissect application layer message, split TCP packets should be first reassembled. That's why tcp_dissect_pdus() is used.

On the other hand, the development guide also says that a single TCP segment can carry multiple application messages at the same time.

In this case, it can not be assumed that "the message header is at the start of your TCP payload". Does it mean that there might be multiple application layer headers in the payload of this single TCP segment, and each application header may start from an arbitrary location depending on the message size ?

My second issue is "Follow TCP Stream" command.

How does this command relate to the reassembly of split TCP packets or tcp_dissect_pdus() ?

The implementation of "Follow TCP Stream" command should be more complicated since it should cover handling the dropped, duplicated and out-of-order TCP packets.

How does Wireshark handle this issues ? Where is the implementation of "Follow TCP Stream" command in the source tree ?

I will really appreciate any help on this in terms of comments, documents, URLs, etc.

Thanks.