Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] TCP Reassembly Question

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 16 Dec 2006 18:56:55 +0100
On Sat, Dec 16, 2006 at 12:13:09PM -0500, Small, James wrote:
> 
> Is the way it works like this?
> 
> I want to transmit a 100K PNG file via TCP.
> TCP segments (right term?) the packet to accommodate the MTU of the
> underlying transport.
> So if we're using Ethernet with an MTU of 1500 and IP+TCP overhead of 40
> bytes, my payload size is 1460 bytes per packet (assuming no MSS
> reductions in SYN packets).
> TCP would use 71 packets to transmit the 100K image (102400 bytes).
> (Assuming ideal conditions and each packet is max size)

That's correct...

> So I'm assuming if I use Wireshark, I would see 70 TCP segment of a
> reassembled PDU frames and then one frame showing the transfer protocol
> (http for example) at the end.

If TCP allows the subdissector to reassemble PDU's and the subdissector
has reassembly enabled, yes, that's what you would see.

> I have tried something like this and it appears to work that way.

:)

> So assuming my understanding is correct, is there any way to tell from
> looking at a TCP packet/segment which other TCP segments are part of the
> same "stream"?

No, TCP is a transport protocol, it will transport data for you and
it does that reliably. This means that it checks if the data is
received by the other side and if not, it will tell the protocol that
wanted to send data that the transmission has failed.

It is the layer on top of TCP that interprets the data and it is the
protocol in this layer that is responsible for splitting up the 
various object in a tcp-stream. To the upper layer there are no
segments, it is just a stream coming from the tcp-buffers.

> Or is everything for one TCP session between the SYN-SYN/ACK-ACK and the
> FIN/ACK-ACK-FIN/ACK-ACK part of the "stream"?

Everything is part of the same stream, whether that stream contains
one object or several objects is dependent on the protocol that 
uses the tcp-transport.

> I guess another way to ask this question would be to say, can I use one
> TCP session to send multiple files or does each file/data chunk require
> a new TCP session/stream?

Same answer here, that depends on the protocol that uses tcp.

I hope this clears thing up a little!

Cheers,    Sake
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube