Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Segmentation problem

From: Guy Harris <guy () alum mit edu>
Date: Mon, 15 Feb 2010 01:06:01 -0800

On Feb 11, 2010, at 2:31 AM, Salman Malik wrote:


I wanted to ask: how does wireshark detect segments of TCP ? I mean which field does it camp on to detect if the last 
TCP segment has arrived ?


As Olivier noted, there is, and can be, no such field; the TCP dissector and the dissector for the protocol running 
atop TCP have to cooperate to perform reassembly.


Actually I'm working with some GTP traffic,


Presumably this is the GSM/3GPP GTP protocol; at least according to 3GPP TS 09.60 version 7.8.0 Release 1998/ETSI TS 
101 347 V7.8.0 (2001-09), a GTP message has a 2-octet length field, giving the length of the message (not counting the 
fixed-length 20-octet header), so it appears that it could use tcp_dissect_pdus() for GTP-over-TCP.

However, it doesn't, so:


when I filter it for m-send-req message (used in mms transaction flow) and try to save it in a separate pcap, I don't 
see the packet (primarily because the packet consisted of two TCP segments, first of which was not shown after the 
application of filter and thus is shown as "continuation or non-http traffic") .


...that won't work.

Note, though, that, if we *do* implement reassembly, only one of the TCP segments will be matched by the filter - the 
one containing the last octet of the GTP message in question - so saving the message to a file will require that you do 
more work to show all the TCP segments that contain data from the message.


Someone help please ! 


If you can file a bug in the Wireshark bugzilla, asking that we implement reassembly for GTP-over-TCP, and attach a 
capture file with a GTP message split over multiple TCP segments, so that we can test any fix we make, that would be 
best.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: