Re: Question about reassembled fragmentation

[Guy Harris <guy () alum mit edu>]

On Nov 11, 2009, at 12:20 AM, Qmo (Yi-Sheng) wrote:

> I want to decode the HTTP packet, but it involves the three packets.
> In Wireshark "Packet bytes Pane", the packet No. 134 shows
>  [Reassembled TCP Segments (1938 bytes):  #132(272)  #133(1460)   
> #134(206) ]
>      [Frame: 132 , payload: 0-271]
>      [Frame: 133 , payload: 272-1731]
>      [Frame: 134,  payload:1732-1937]
>
> How do Wireshark know this infomation via the cap file?

Because it knows what HTTP responses look like - a Status-Line, a  
bunch of {general,response,entity}-headers, a blank line, and a  
response body, with the latter terminated either by the byte count  
from the headers or by closing the connection - so it accumulates the  
contents of TCP segments until it's seen all of that. 
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe