Ask Your Question
0

Why Wireshark don't annotate all reassembled packets with "tcp segment of a reassembled pdu"

asked 2020-04-21 15:26:36 +0000

alajeb gravatar image

I have a traffic capture that have some packets reassembled PDU but Wireshark don't annotate all the packets that are reassembles with "TCP segment of a reassembled PDU" is my interpretation is wrong or Wireshark don't annotate some packets Here is the capture https://drive.google.com/file/d/1MvaD... We can see that the 7th and the 8th frame are reassembled

edit retag flag offensive close merge delete

Comments

All but the final segment will be marked with “[TCP segment of a reassembled PDU]” in the packet list.

Chuckc gravatar imageChuckc ( 2020-04-21 16:38:51 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2020-04-21 16:24:13 +0000

grahamb gravatar image

updated 2020-04-21 16:25:34 +0000

Only the frames that are partial PDU's are marked in this way, e.g. frame 7. When reassembly has completed, e.g. frame 8, then no such marking takes place.

If you look at frame 8 in the packet details, between the TCP and TLS layers you can see the segments that are reassembled in this frame:

Frame 8: ...
Ethernet II, ...
Internet Protocol Version 4, ...
Transmission Control Protocol, ...
[2 Reassembled TCP Segments (471 bytes): #7(123), #8(348)]
Transport Layer Security
edit flag offensive delete link more

Comments

Could you please explain to me what do you mean by "frames that are partial PDU's"

alajeb gravatar imagealajeb ( 2020-04-21 16:28:14 +0000 )edit

@grahamb any thoughts why Frame 6 isn't labeled as a TCP segment?
The reassembly details in Frame 7 show frames 6 and 7.

Chuckc gravatar imageChuckc ( 2020-04-21 16:40:41 +0000 )edit

@alajeb

I misspoke a little, the frames contain partial PU's. A partial PDU is when an application layer PDU, in this case a TLS Application Data Protocol PDU, is split into parts in multiple segments of the transporting protocol, in this case TCP. The PDU started in frame 7 is too big (1507 bytes) to fit in a single segment so is split and follows on into frame 8.

@bubbasnmp,

I now see what you mean. Frame 6 has two complete PDU's, then the start of a third one. That PDU is completed by the first part of frame 7. The PDU in the latter part of frame 7 is completed by frame 8.

I suspect frame 6 isn't labelled because it does have some complete PDU's, whereas frame 7 only has two partial PDU's, the end of one and the start of another, this ...(more)

grahamb gravatar imagegrahamb ( 2020-04-21 16:53:55 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-04-21 15:26:36 +0000

Seen: 586 times

Last updated: Apr 21 '20

Related questions

What happened to reassemble_tcp?

How to parse the tcp data with fragments in lua

Certficate [TCP segment of a ressembled PDU] -- WHY/WHAT causes it?

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2