Wireshark mailing list archives
Question about reassembled fragmentation
From: "Qmo (Yi-Sheng)" <qmosheng () gmail com>
Date: Wed, 11 Nov 2009 16:20:53 +0800
Dear all, I've writen a frame decoder which decodes the cap file captured by Wireshark. Now I meet a question about packet reassembled. When I decode a TCP frame, it was partitioned into 3 packets. In wire shark, it seems like: No. Time Source Destination Protocol Info 132 10.1.123.5 10.80.111.2 TCP [TCP segment of a reassembled PDU] 133 10.1.123.5 10.80.111.2 TCP [TCP segment of a reassembled PDU] 134 10.1.123.5 10.80.111.2 HTTP HTTP/1.1 200 OK (GIF89a) I want to decode the HTTP packet, but it involves the three packets. In Wireshark "Packet bytes Pane", the packet No. 134 shows [Reassembled TCP Segments (1938 bytes): #132(272) #133(1460) #134(206) ] [Frame: 132 , payload: 0-271] [Frame: 133 , payload: 272-1731] [Frame: 134, payload:1732-1937] How do Wireshark know this infomation via the cap file? I've seen the "Packet bytes Pane" about packet No.134, it seems no infomation about this. If we don't know the packet No. about all assembled packet, we can't decode them. Can anyone help me? Thank you very much!! Best Regards, Qmo
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Question about reassembled fragmentation Qmo (Yi-Sheng) (Nov 11)
- Re: Question about reassembled fragmentation Guy Harris (Nov 11)
- Re: Question about reassembled fragmentation Qmo (Yi-Sheng) (Nov 11)
- Re: Question about reassembled fragmentation Jaap Keuter (Nov 11)
- Re: Question about reassembled fragmentation Guy Harris (Nov 11)
- Re: Question about reassembled fragmentation Qmo (Yi-Sheng) (Nov 11)
- Re: Question about reassembled fragmentation Guy Harris (Nov 11)