On 5 jul 2011, at 22:42, Graeme Melia wrote:
> I am using Wireshark to to monitor a multi-serial port device that
> communicates to a server via IP.
>
> The outgoing TCP messages from the server has the DNP3 message embedded,
> usually in one packet.
>
> The incoming DNP3 messages are being broken up so that each byte is a
> single TCP packet, or a 23 byte DNP3 message becomes 23 TCP packets each
> with a payload of 1 data byte.
>
> The problem is that the Wireshark DNP3 dissector is not reassembling the
> original DNP3 message. I have checked the DNP3 option to reassemble
> messages split across multiple TCP packets and the TCP setting to allow
> subdissector to reassemble TCP streams.
>
> Is this a bug or have I missed something?
Without looking at the packets, it's hard to tell. You might want to try an automated build[1], as there has been done some work on DNP reassembly after 1.6.0 came out. If that does not solve your issue, please post a (small) capture file showing the problem to bugs.wireshark.org so it can be checked whether it is a bug (or an enhancement request :-)).
Cheers,
Sake
[1] http://www.wireshark.org/download/automated/
