Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to get rid of "TCP segment of a reassembled PDU" messa

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 26 Mar 2008 11:21:20 -0700
Grant Edwards wrote:
I'm tracing data in a TCP connection between two devices, and
about half way through the trace, wireshark stops displaying
packet info and just shows [TCP segment of a reassembled PDU].

It's _not_ a "TCP segment of a reassembled PDU".  It's just a
stream of bytes.

To what does "it" refer? The entire TCP connection is the stream of bytes; individual packets are what are reported as TCP segments of a reassembled PDU.

The protocol Wireshark thinks the connection is running atop TCP is done for which it does reassembly; it appears to think that a packet requiring reassembly is in the stream, but, for whatever reason - perhaps TCP segments that weren't captured, or perhaps a bug - can't finish the reassembly process for that packet.

Try turning the reassembly option off for that protocol (if it has such an option in the preferences) or for TCP as a whole.

Could you file a bug on this, and attach a capture that shows the problem, so, if there *is* a bug (rather than a missing packet), we can try to fix it? (Even if there is a missing packet, it might be possible to get the reassembly code to handle that better.)

I've told wireshard to not decode that TCP
stream

What do you mean by "not decode"?

but it still refuses to display packet info.  I think
it's getting confused by packets that aren't part of the TCP
stream in question.

If they're present in the capture but not part of the stream, that won't affect the reassembly (unless there's a bug in the TCP reassembly code).