Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

As you probably know TCP is a stream transport, which means it is intended to transport bytes, without any structure applied to them. Many higher layer protocols (e.g., Transport Layer Security) are based on messages, records, PDU based, or whatever it is called in that protocol. It defines a structure to the bytes. Obviously there's a disconnect here. To make matters worse, the TCP layer itself uses a packet based transport (IP) to get the data stream across the network.

So, from the example, we receive an Ethernet frame, with an IP packet. This packet contains a TCP packet, which contains part of a data stream (ref TCP payload). Fortunately the TCP dissector, together with the higher layer protocol dissector, is able to figure out what part of the TCP payload is relevant for a particular higher layer protocol. This is handed off to the higher layer protocol dissector to be dissected (in this case the TLS "Server Hello").

But what about the rest of the TCP payload? Well, if there are no other takers, being higher layer protocols satisfied that that blob of data is a valid/complete PDU for them and leave it to the TCP dissector to come up with more data first. Which it can't because the TCP payload is exhausted. Therefore the rest of the payload data must be a segment (ref TCP segment) of a larger PDU for the higher layer protocol.

You can find that PDU if you follow the TCP streams' packets where you eventually find a TCP packet which has a Reassembled TCP segments section in it referencing the frame where you found the TLS Server Hello and the remaining TCP segment data. There the whole PDU is reassembled and handed of the higher layer dissector.

For your packet, you should be able to verify this as the TCP payload is 1460 and the TCP segment data (the data remaining) is 1398 that the Server Hello record is 62 bytes long.

As an aside, packets that carry only TCP segment data have a reference added to them to the frame where the reassembly into a complete PDU is done. Unfortunately this reference is not included in TCP packets where part of the payload is dissected. I think that deserves a bug report. It could have avoided this question.