Ask Your Question

Revision history [back]

Understanding "TCP Segment Data"

I've been examining a TCP payload in wireshark. In the payload, there are several SMPP PDUs, but mixed in the packet were a few "TCP Segment Data" entries.

I looked at a few more payloads and found that the segment data entries can occur anywhere within the payload, beginning, middle or end.

First, how does wireshark know the length of the segments? I've come to see that these segment data fragments are related to re-assembled TCP segments, but I'm at a loss as to how wireshark is first able to internally ensure it's SMPP data isn't inaccurately dissected, but then, how it relates those segments to other packets. Secondly, how does it know to relate those segments to previous frames in a capture?

I tried to review the wireshark code , but it's a bit more amazing that I have powers to fully understand.

I'm still at it, but I thought I'd reach out here for help with those questions.