Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Question about reassembled fragmentation

From: "Qmo (Yi-Sheng)" <qmosheng@xxxxxxxxx>
Date: Wed, 11 Nov 2009 16:20:53 +0800
Dear all,

I've writen a frame decoder which decodes the cap file captured by Wireshark.
Now I meet a question about packet reassembled.
When I decode a TCP frame, it was partitioned into 3 packets. In wire shark, it seems like:

   No.     Time          Source              Destination                    Protocol                      Info
  132                    10.1.123.5           10.80.111.2                      TCP                     [TCP segment of a reassembled PDU]
  133                    10.1.123.5           10.80.111.2                      TCP                     [TCP segment of a reassembled PDU]
  134                    10.1.123.5           10.80.111.2                      HTTP                   HTTP/1.1  200 OK   (GIF89a)

I want to decode the HTTP packet, but it involves the three packets.
In Wireshark "Packet bytes Pane", the packet No. 134 shows
 [Reassembled TCP Segments (1938 bytes):  #132(272)  #133(1460)  #134(206) ]
     [Frame: 132 , payload: 0-271]
     [Frame: 133 , payload: 272-1731]
     [Frame: 134,  payload:1732-1937]

How do Wireshark know this infomation via the cap file?
I've seen the "Packet bytes Pane" about packet No.134, it seems no infomation about this.
If we don't know the packet No. about all assembled packet, we can't decode them.
Can anyone help me?  Thank you very much!!

Best Regards,
Qmo