Wireshark-users: Re: [Wireshark-users] asking a question
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Wed, 16 Dec 2009 19:59:10 +0100
Jaap,

You're mixing the IP fragmentation and TCP segmentation to a nice cocktail ;-)
The "TCP segment of a reassembled PDU" message means that some protocol on 
top of TCP sent a PDU to the TCP layer which the TCP layer was not able to 
send to the IP layer in one segment (which has a maximum size called the 
maximum segment size or in short MSS). The TCP layer will split up the 
message into several segments and hand those segment over the the IP layer 
for transport. When wireshark sees a TCP segment which does not contain the 
full upper layer PDU, wireshark will gather the data in the following 
packets until the PDU is complete.Then the full PDU is handed to the 
dissector which interprets its content en shows it to the user. You can turn 
this behavior off in the TCP protocol preferences (unset "allow subdissector 
to reassemble tcp streams").
Fragmentation at the IP layer occurs when an IP packet traveling across a 
network encounters a link (or tunneling) which can not transport packets of 
that size. It then splits up the IP packet into multiple IP fragments. This 
will be shown in wireshark as "Fragmented IP protocol (proto=XXX, off=XXXX, 
ID=XXXX).
Jaap is right, it is wise to do some reading regarding basic IP and TCP 
protocol workings...
Cheers,


Sake

----- Original Message ----- From: "Jaap Keuter" <jaap.keuter@xxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Wednesday, December 16, 2009 6:42 PM
Subject: Re: [Wireshark-users] asking a question


Hi,

The protocol stack is called TCP/IP, that is Transport Control Protocol over Internet Protocol. When the IP protocol layer cannot carry the TCP layer PDU as a whole, it fragments it, and sends the TCP segments one by one. These are the
packets you see.
Wireshark is able to tell that these are TCP segments and can do its best to reassemble the original TCP PDU for you. The result will then be presented with
the last TCP segment coming in.

This is basic TCP/IP stuff. Read your Stevens, or Wikipedia for that matter.
Thanks,
Jaap

chendahong@xxxxxxxxxxxxxxxx wrote:
When I used the wireshark to capture ip packets, the wireshark considered
some packets as "TCP segment of a reassembled PDU".

Please explain the means of "TCP segment of a reassembled PDU" to me.

thanks.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe