DePriest, Jason R.
Wed, 26 Mar 2008 12:01:54 -0700
On Wed, Mar 26, 2008 at 5:17 PM, Grant Edwards wrote: > I'm tracing data in a TCP connection between two devices, and > about half way through the trace, wireshark stops displaying > packet info and just shows [TCP segment of a reassembled PDU]. > > It's _not_ a "TCP segment of a reassembled PDU". It's just a > stream of bytes. I've told wireshard to not decode that TCP > stream but it still refuses to display packet info. I think > it's getting confused by packets that aren't part of the TCP > stream in question. > > -- > Grant
From the wiki =-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-= TCP Reassembly (http://wiki.wireshark.org/TCP_Reassembly) Wireshark supports reassembly of PDUs spanning multiple TCP segments for a large number of protocols implemented on top of TCP. These protocols include, but are not limited to, iSCSI, HTTP, DNS, Kerberos, CIFS, ONC-RPC etc. All in all probably something like 20 different protocols. The support to do this is very easy to add to Wireshark if required for new protocols, so if your favorite protocol is missing, please give the Wireshark developers a shout. Note that TCP Reassembly ONLY works if you capture the entire packet and if all the checksums for that packet are valid. If you use packet slicing and only capture parts of the packets OR if the packets have incorrect checksums, i.e. TCP Checksum Verification fails, then the packets will be ignored and reassembly will fail. (You can disable the TCP Checksum Verification test in preferences.) =-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-= Are you dropping any packets? TCP checksums can fail if your NIC is offloading the checksums. Check your driver settings. A PDU is just a "Protocol Data Unit" - packet, frame, whatever. -Jason _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users