On 16 jul 2010, at 18:25, George Vandelet wrote:
> I have an wireshark capture for an HTTP session and I see in the middle of all of the http packets, some TCP packets which state they they are "[TCP segment of a reassembled PDU]" . I expect to see TCP packets at the beginning and end of the TCP session but dont expect to see them much in the middle.
>
> Can anyone help me understand what [TCP segment of a reassembled PDU] is indicating?
This message means that TCP was forwarding the payload to the dissector for the used protocol on top of TCP (HTTP in your case) and the dissector sent a message back to the TCP dissecter that it needed more data to be able to dissect a full PDU (Protocol Data Unit). The TCP dissector then collects more data until the other dissector is capable of dissecting it.
In case of HTTP, this means that the response (or request) did not fit 1 TCP segment and was sent in multiple segments. In each frame that says "[TCP segment of a reassembled PDU]" there is a line in the TCP details that tell you in which packet the fully reassembled PDU is dissected.
You can turn of this reassembly in the TCP protocol preferences by disabling the setting "Allow subdissector to reassemble TCP streams".
Cheers,
Sake