Wireshark · Wireshark-dev: Re: [Wireshark-dev] Question about reassembled fragmentation

["Qmo (Yi-Sheng)" <qmosheng@xxxxxxxxx>]

Thank you in advance. But I still confused. 
Do you mean when Wireshark encounter packet No.132,
it knows it's a part of packet No.134. How does Wireshark do that?
In the cap file, each packet is composed by a serial strings, and it will be decoded by the information of the strings.
In packet No.132, packet No.133 and packet No.134, I couldn't see the related info about them, 
even the Wireshark knows what HTTP responses look like, does it imply some info in the strings?
Thank you very much!

Best Regards,
Qmo

On Wed, Nov 11, 2009 at 4:25 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Nov 11, 2009, at 12:20 AM, Qmo (Yi-Sheng) wrote:

> I want to decode the HTTP packet, but it involves the three packets.
> In Wireshark "Packet bytes Pane", the packet No. 134 shows
>  [Reassembled TCP Segments (1938 bytes):  #132(272)  #133(1460)
> #134(206) ]
>      [Frame: 132 , payload: 0-271]
>      [Frame: 133 , payload: 272-1731]
>      [Frame: 134,  payload:1732-1937]
>
> How do Wireshark know this infomation via the cap file?

Because it knows what HTTP responses look like - a Status-Line, a
bunch of {general,response,entity}-headers, a blank line, and a
response body, with the latter terminated either by the byte count
from the headers or by closing the connection - so it accumulates the
contents of TCP segments until it's seen all of that.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe