Wireshark mailing list archives

Re: tcp reassembly

From: "Sake Blok" <sake () euronet nl>
Date: Wed, 16 Dec 2009 23:13:26 +0100

TCP is a streaming protocol. This means it will just take the data is has been given from the upper layer and transmit 
it to the receiving end. The receiving end on it's turn just passes the traffic as a stream towards the upper layer. It 
is the upper layer that is responsible for reassembly of the data into it's PDU's.

Within wireshark, it's also the upper layer dissectors telling the tcp dissector to fetch more data (ie use data from 
the next packet in the tcp stream) to complete it's PDU for dissection.

For example, in HTTP/1.0, a Content-Length header is used to tell the browser how much data to pull from the tcp stream 
to complete the object (=PDU at HTTP layer). After that a new object can be requested over the same tcp stream.

Hope this helps,
Cheers,
     Sake

  ----- Original Message ----- 
  From: Chun Chan 
  To: wireshark-users () wireshark org 
  Sent: Wednesday, December 16, 2009 10:27 PM
  Subject: [Wireshark-users] tcp reassembly


  Hi
  I am writing a sniffer but I couldnt understand some things about tcp reassembly.
  firstly I send a data via socket 5000 bytes. then tcpip stack split into three tcp packets. but this is not ip 
fragmentation. I think this is tcp segmentation.
  but I can not understand when I will sniff this packet How can I defragment this packet? 
  I need to understand when finished 5000 bytes.
  I will waiting your reply
  thanks





------------------------------------------------------------------------------


  ___________________________________________________________________________
  Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
  Archives:    http://www.wireshark.org/lists/wireshark-users
  Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
               mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tcp reassembly Chun Chan (Dec 16)
- Re: tcp reassembly Martin Visser (Dec 16)
  - Re: tcp reassembly Stephen Fisher (Dec 16)
- Re: tcp reassembly Sake Blok (Dec 16)
  - Re: tcp reassembly Chun Chan (Dec 16)
    - Re: tcp reassembly Guy Harris (Dec 17)
    - Re: tcp reassembly Chun Chan (Dec 17)