Wireshark-users: Re: [Wireshark-users] "Visually" re-assemble packet
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 8 Dec 2014 19:14:25 -0800
On Dec 8, 2014, at 6:21 PM, Christopher Smith <Christopher.Smith@xxxxxxxxx> wrote:

> We’re getting there :-) I would expect the complexity you have described (2 for 1, 1 for multi, or both) and would be grateful to see that, as a massaged trace.  I think in the end game, it would be some sort of Export feature that combines/amalgamates/merges frames into packets, packets into segments, then segements into protocol – and then dump that into another trace.  I would imagine – if I’m the only one asking this specifically – that this ultimately won’t happen!

Well, there are multiple levels of reassembly there, so the feature would have to be told which particular layers of reassembly are interesting.  (For SMB, the only reassembly you'll see most of the time is reassembling pieces of TCP segments into SMB messages, as well as splitting TCP segments into SMB messages; you will typically have a one-to-one correspondence between link-layer frames and IP datagrams - or, at least, any reassembly there will be done before the capture mechanism gets to see the packets, so you won't see reassembly - and a one-to-one correspondence between IP datagrams and TCP segments.  You might, however, see reassembly for the various types of SMB transactions, as well as for some protocols running over SMB named pipes.)

Presumably the reason to write out another trace is for *other* programs to read, although that'd require putting "fake" link-layer, IP, and TCP headers on the SMB messages, as those programs probably expect to see low-level network traces.  Wireshark *itself* should be able to show, for example, a TCP-level or SMB-level or DCE/RPC-level view of the traffic, given a regular frame-by-frame trace and only that.  (It currently can't, but it'd probably be a useful capability.)
 
> I won’t keep you – I have been grateful for your expertise, seriously!  FWIW, I have found today TCP StreamGraph à Throughput Graph – which I believe would be the ultimate end of the Pivot guru’s first analysis, and so distributing.

I.e., Wireshark already does what you need with those graphs?