Wireshark · Wireshark-dev: Re: [Wireshark-dev] TCP reassembly when packet capture size limited

Wireshark-dev: Re: [Wireshark-dev] TCP reassembly when packet capture size limited

From: Sake Blok <sake@xxxxxxxxxx>

Date: Tue, 16 Nov 2010 21:31:29 +0100

On 16 nov 2010, at 19:17, Guy Harris wrote:

> On Nov 16, 2010, at 9:58 AM, Stephen Fisher wrote:
> 
>> Should TCP reassembly be done when the packet size was limited during 
>> capture?
> 
> Not unless we can do reassembly with "holes" in the result, which we currently can't do.  At least some other dissectors check to make sure, when adding data to the reassembled packet, that all the data they're adding is present.

IMHO reassembly is not very useful when packets have been truncated. So I would prevent TCP reassembly at the TCP level (actually I was under the impression the TCP dissector was doing that already, but I could be mistaken).

Sake

References:
- [Wireshark-dev] TCP reassembly when packet capture size limited
  - From: Stephen Fisher
- Re: [Wireshark-dev] TCP reassembly when packet capture size limited
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] editcap -B
Next by Date: Re: [Wireshark-dev] Filter for generated items
Previous by thread: Re: [Wireshark-dev] TCP reassembly when packet capture size limited
Next by thread: [Wireshark-dev] Call register_stat_menu_item from a plugin
Index(es):
- Date
- Thread