1 | initial version |
The TCP dissector usually works just fine without the payload, as long as you have the complete TCP header, which you should have unless there is some tunneling involved (eth:14, ip:20, tcp:20-60 => 54-94 bytes for eth/ip/tcp info). How are the packets sliced, by a libpcap library, resulting in "Frame 366: 534 bytes on wire, 100 bytes captured on interface en0, id 0" or by a packetbroker, resulting in: Frame 366: 100 bytes on wire, 100 bytes captured on interface en0, id 0", even though there were 534 bytes on the wire before slicing. AFAIK, Wireshark sometimes has problems handling the second case.
Of course a pcap file with an example of where TCP analysis fails in your case could be handy to determine what is going on and whether or not this is a bug.