Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] TCP reassemble question

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 16 May 2010 19:21:32 +0200
On 16 mei 2010, at 15:40, Bo Xu wrote:

> Wireshark can reassemble the tcp packets which is very cool feature. 
> For example ,If  the reassemble option is disabled in the  preference,  assume #9 and #10 are carrying the whole piece information , there will be  these 2 prompt line in #9  :
>  
> Numer of bytes in flight :1460 
> Last frame of this PDU : 10
>  
> I would like to know how wireshark know these TCP segments are together  ?

TCP is a streaming protocol, which means it just transmits the data it receives from an application to the receiving application on the receiving end. It has no knowledge of protocol data unit (PDU) bounderies. Just like the receiving application must know where the bounderies of each PDU are, the dissector the protocol that runs on top of TCP must know how to determine if the PDU is split over multiple TCP segments. And if it is, it tells the TCP dissector to collect more data. This goes on until it knows it has enough data to dissect a whole PDU.

Hope this helps,
Cheers,
     Sake