Thanks for the responses. My initial analysis was wrong. The problem was due to 'lost TCP segments'. These are segments that wireshark failed to capture and I can see an ack for these packets from the client and I don't see retransmissions either. Due to this the dissection of RTMP fails badly. RTMP is a very context sensitive protocol. Missing any one chunk offset will have a cascading effect from thereon.
I am currently trying with 'TCP analyze sequence numbers' disabled. A quick search on google also seems to suggest this might not help a lot. I found this mail from the archives http://ethereal.netmirror.org/lists/wireshark-users/200806/msg00025.html . Does anyone know of any way to workaround this problem? Thanks, Sudarshan On Tue, Aug 25, 2009 at 6:07 AM, Guy Harris<[email protected]> wrote: > > On Aug 24, 2009, at 11:02 AM, Sudarshan Raghavan wrote: > >> How do I make tcp_dissect_pdus work correctly with chunks across TCP >> segments. > > Is it not working correctly now? I've seen it work correctly for > other protocols, even with multiple messages within one TCP segment, > messages split across TCP segments, and messages split across TCP > segments with the last TCP segment having the end of one message > followed by other messages or the beginning of another message. > > Note that "working correctly" does not mean "calling your dissector > with a non-zero offset", it means "calling your chunk dissector with a > completely reassembled RTMP chunk, even if the chunk is split across > TCP segment boundaries or if there are parts of more than one RTMP > chunk (or complete RTMP chunks) in a TCP segment". > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe > ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
