Ask Your Question
0

Understanding "TCP Segment Data"

asked 2021-02-04 14:45:06 +0000

Irwin Williams gravatar image

I've been examining a TCP payload in wireshark. In the payload, there are several SMPP PDUs, but mixed in the packet were a few "TCP Segment Data" entries.

I looked at a few more payloads and found that the segment data entries can occur anywhere within the payload, beginning, middle or end.

First, how does wireshark know the length of the segments? I've come to see that these segment data fragments are related to re-assembled TCP segments, but I'm at a loss as to how wireshark is first able to internally ensure it's SMPP data isn't inaccurately dissected, but then, how it relates those segments to other packets. Secondly, how does it know to relate those segments to previous frames in a capture?

I tried to review the wireshark code , but it's a bit more amazing that I have powers to fully understand.

I'm still at it, but I thought I'd reach out here for help with those questions.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-02-04 15:48:07 +0000

Jaap gravatar image

TLDR: it's probably easier to read this section in the Developers Guide.

First off, it's important to realise that TCP is a stream transport, so simply a continues flow of bytes. Any structure has to be defined by the protocol layer on top of TCP using this stream transport. The dissector for this protocol can make use of some simple facilities provided by the TCP dissector to handle these TCP segments. It has to provide a function which can tell the TCP dissector how many bytes it needs for a PDU, and the TCP dissector takes care of the rest. Once the TCP dissector has collected enough bytes from the incoming TCP transport it hands the requested size of bytes to this protocol dissector on top and keeps the rest (if any) for the next PDU to be handed over.

edit flag offensive delete link more

Comments

There is a sample capture attached to issue 15906 which shows SMPP spanning TCP packets.

This is handled in the SMPP dissector and has a preference to enable/disable:

    prefs_register_bool_preference (smpp_module,
            "reassemble_smpp_over_tcp",
            "Reassemble SMPP over TCP messages spanning multiple TCP segments",
            "Whether the SMPP dissector should reassemble messages spanning multiple TCP segments."
            " To use this option, you must also enable "
            "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
            &reassemble_over_tcp);
Chuckc gravatar imageChuckc ( 2021-02-04 16:18:47 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-02-04 14:45:06 +0000

Seen: 3,631 times

Last updated: Feb 04 '21

Related questions

It seems host does not receive segment 33 but it receives 32 and 34. This is related to TCP protocol. Is it because it utilizes 33 for ACK on the other host?

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

how to create a graph of the number of active tcp connections over time?

how can I graph mysql response time in wireshark

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2