This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Handling missing fragments while reassembling

0

I am able to reassemble fragments successfully if there is a complete message. However if there are missing fragments my dissector continues to reassemble the next message along with the message that has the missing fragments. I can calculate how many fragments there are supposed to be before I begin reassembly but my first indication that there are missing fragments is when I come across the initial frame for the next fragmented packet. Is there a way that I can tell my reassembly to immediately stop reassembling at the previous fragment and begin a new reassembly at the current initial fragment. Either that or can I look at the next future packet to check if it is the next fragment or an initial fragment to another message?

asked 09 Jun '17, 08:58

jpetersen's gravatar image

jpetersen
6335
accept rate: 0%


One Answer:

0

The new fragment sequence should be using a new sequence id, so that the original sequence is left unreassembled.

answered 09 Jun '17, 10:06

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

1

Thank you that worked.

For anyone facing a similar problem: I didn't have any sequence ID info in the header for the file so I just used the frame number of the initial fragment for my sequence ID.

(09 Jun '17, 11:33) jpetersen