Wireshark-users: Re: [Wireshark-users] How to get rid of "TCP segment of a reassembled PDU" messa
From: "DePriest, Jason R." <jrdepriest@xxxxxxxxx>
Date: Wed, 26 Mar 2008 19:00:44 +0000
On Wed, Mar 26, 2008 at 5:17 PM, Grant Edwards  wrote:
> I'm tracing data in a TCP connection between two devices, and
>  about half way through the trace, wireshark stops displaying
>  packet info and just shows [TCP segment of a reassembled PDU].
>
>  It's _not_ a "TCP segment of a reassembled PDU".  It's just a
>  stream of bytes.  I've told wireshard to not decode that TCP
>  stream but it still refuses to display packet info.  I think
>  it's getting confused by packets that aren't part of the TCP
>  stream in question.
>
>  --
>  Grant

>From the wiki
=-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-=
TCP Reassembly (http://wiki.wireshark.org/TCP_Reassembly)

Wireshark supports reassembly of PDUs spanning multiple TCP segments
for a large number of protocols implemented on top of TCP. These
protocols include, but are not limited to, iSCSI, HTTP, DNS, Kerberos,
CIFS, ONC-RPC etc. All in all probably something like 20 different
protocols. The support to do this is very easy to add to Wireshark if
required for new protocols, so if your favorite protocol is missing,
please give the Wireshark developers a shout.

Note that TCP Reassembly ONLY works if you capture the entire packet
and if all the checksums for that packet are valid. If you use packet
slicing and only capture parts of the packets OR if the packets have
incorrect checksums, i.e. TCP Checksum Verification fails, then the
packets will be ignored and reassembly will fail. (You can disable the
TCP Checksum Verification test in preferences.)
=-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-=

Are you dropping any packets?

TCP checksums can fail if your NIC is offloading the checksums.  Check
your driver settings.

A PDU is just a "Protocol Data Unit" - packet, frame, whatever.

-Jason