Thank you. If that's the case, there should be a TCP segment following this TPKT packet with TPKT payload contained. But in fact, Eathereal didn't captured such a TCP segment.
________________________________ From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Mon 10/6/2003 4:54 PM To: #YANG YONG# Cc: [EMAIL PROTECTED] Subject: Re: [Ethereal-users] Payload of TPKT is missing On Mon, Oct 06, 2003 at 10:49:32AM +0800, #YANG YONG# wrote: > When I captured a TPKT packet, ethereal said it contained a Q.931 > message, and the length was 200. But in fact ethereal captured nothing > of the payload of the TPKT packet. The record is attached for your > information. I wonder why. Perhaps because you haven't turned on the "Allow subdissector to desegment TCP streams" option, or the "Desegment all TPKT messages spanning multiple TCP segments" option is turned off, and this TPKT packet came from a VoIP implementation that puts out the TPKT header and body in separate TCP segments (as I think Microsoft's NetMeeting stuff does, for example)? Select "Preferences" from the "Edit" menu, click on the "[+]" next to "Protocols" in the dialog box that pops up in order to open up the list of protocols, select "TCP", turn on the "Allow subdissector to desegment TCP streams" option, then select "TPKT" and, if "Desegment all TPKT message spanning multiple TCP segments" is turned off, turn it on. Then click "OK". If you want those settings to be the default whenever you run Ethereal (at least on that machine, or any other machine where you have the same home directory for UNIX or "profile directory" for Windows), click "Save" before clicking "OK".
