Wireshark-users: Re: [Wireshark-users] Question about TCP buffering and Wireshark
Thanks so much for that. Will try tcp_dissect_pdus()
On Fri, Jul 17, 2009 at 3:14 PM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
>
> On Jul 17, 2009, at 11:59 AM, sean bzd wrote:
>
>> TCP experts,
>> I'm trying to understand some TCP packets sent by my application that
>> I captured through wireshark. I noticed that multiple send() {winsock
>> API) calls are being combined into a single TCP frame.
>
> Yes. TCP is a byte-stream protocol, with no notion of packet
> boundaries, so the application receiving those packets will need to be
> able to handle getting multiple packets from a single read.
>
>> My custom
>> plugin doesn't seem to be able to parse this properly. Is there a
>> setting in wireshark to show these separately?
>
> No.
>
>> OR is there something
>> in the plugin I can do to separate the frame into multiple app
>> packets??
>
> Possibly. If your app packets either
>
> 1) have a fixed length
>
> or
>
> 2) have some way where, after reading the first part of the app
> packet, you can determine from that information how long the total
> packet is
>
> (which you might need anyway, in order to allow the application
> receiving the packets to divide the byte stream it gets into app
> packets) you can use tcp_dissect_pdus() in your dissector.
>
>> The otherway around - i.e a large app packet split up into multiple
>> tcp frames is working fine and I had to do something special in my
>> plugin to handle this. (reassembled PDUs).
>
> tcp_dissect_pdus() will also handle that for you.
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>