On Feb 10, 2019, at 11:44 AM, <david_aggeler@xxxxxxxxxx> <david_aggeler@xxxxxxxxxx> wrote:
> I’m cleaning up the re-assembly in the DICOM decoder (I haven’t touched it for years, so it was overdue)
> DICOM data elements are usually pretty big, and I need more than TCP level re-assembly.
>
> To have COL_INFO focus on what is relevant for DICOM, I’d like to suppress the postfix of “[TCP segment of a reassembled PDU]”.
From the screenshot, I suspect the problem is that the frame in question contains data from more than one DICOM PDU, so that it contains the last octets of one DICOM PDU and the beginning octets of another PDU, and that, at the TCP reassembly layer, more data is needed for the second PDU.
So, technically, that frame is a TCP segment of a (to be-)reassembled PDU.
However, given that it's the finishing segment of a PDU, at a layer above TCP, and thus would have information about *that* PDU, the fact that it also happens to be the first TCP segment of the PDU following that PDU is not of interest.
Note that, except in the first paragraph, I didn't use the name "DICOM" - i.e., this isn't a problem with DICOM, it's a problem with the TCP dissector; that's where the "[TCP segment of a reassembled PDU]” is generated, and that's where it needs to be suppressed.
Please file a bug on that (and don't speak of it as a DICOM-specific problem, as the same problem could occur with any other protocol that runs over TCP).
