Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] asking a question

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 16 Dec 2009 23:15:47 +0100
As should I. Thanks Sake. :-)

Sake Blok wrote:
Jaap,

You're mixing the IP fragmentation and TCP segmentation to a nice cocktail ;-)

The "TCP segment of a reassembled PDU" message means that some protocol on top of TCP sent a PDU to the TCP layer which the TCP layer was not able to send to the IP layer in one segment (which has a maximum size called the maximum segment size or in short MSS). The TCP layer will split up the message into several segments and hand those segment over the the IP layer for transport. When wireshark sees a TCP segment which does not contain the full upper layer PDU, wireshark will gather the data in the following packets until the PDU is complete.Then the full PDU is handed to the dissector which interprets its content en shows it to the user. You can turn this behavior off in the TCP protocol preferences (unset "allow subdissector to reassemble tcp streams").

Fragmentation at the IP layer occurs when an IP packet traveling across a network encounters a link (or tunneling) which can not transport packets of that size. It then splits up the IP packet into multiple IP fragments. This will be shown in wireshark as "Fragmented IP protocol (proto=XXX, off=XXXX, ID=XXXX).

Jaap is right, it is wise to do some reading regarding basic IP and TCP protocol workings...

Cheers,


Sake

----- Original Message ----- From: "Jaap Keuter" <jaap.keuter@xxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, December 16, 2009 6:42 PM
Subject: Re: [Wireshark-users] asking a question


Hi,

The protocol stack is called TCP/IP, that is Transport Control Protocol over Internet Protocol. When the IP protocol layer cannot carry the TCP layer PDU as a whole, it fragments it, and sends the TCP segments one by one. These are the
packets you see.
Wireshark is able to tell that these are TCP segments and can do its best to reassemble the original TCP PDU for you. The result will then be presented with
the last TCP segment coming in.

This is basic TCP/IP stuff. Read your Stevens, or Wikipedia for that matter.

Thanks,
Jaap

chendahong@xxxxxxxxxxxxxxxx wrote:
When I used the wireshark to capture ip packets, the wireshark considered
some packets as "TCP segment of a reassembled PDU".

Please explain the means of "TCP segment of a reassembled PDU" to me.

thanks.

             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe