very good explanation thank you somuch
发自网易邮箱大师
On Nov 22, 2017, at 9:42 AM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:
> No, Wireshark also keeps in memory all what is needed to make the relationship between packets (request / response tracking, conversations, reassembly, ...).
And sometimes that information is needed to do packet dissection, so it's necessary even if all you want is "just some protocol’s field information".
For example, some request/response protocols (such as all ONC RPC-based protocols) have a request type value and a request ID in a request packet and, in the response, have only the request ID for the request to which this is a response, *not* the type value,
so you need the type value from the request in order to dissect the response.
And to fully and correctly dissect packets, to get the field information from higher-level protocols in the packet, you may need to do reassembly.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
