Re: Reassembly of split fragments

[Guy Harris <gharris () sonic net>]

On Jan 26, 2022, at 1:54 PM, Jaap Keuter <jaap.keuter () xs4all nl> wrote:

> Few remarks. The mix-27010 dissector is made to dissect frames of type WTAP_ENCAP_MUX27010, or PCAP link layer header 
> type, as defined at https://tcpdump.org/linktypes/LINKTYPE_MUX27010.html There it states what the layout in the PCAP 
> packets ought to be. All your variations do not fall into that category, so shouldn't use this PCAP link layer header 
> type, IMHO.

Exactly.

If traffic doesn't match the description in the entry on the page at

        https://www.tcpdump.org/linktypes.html

for the link-layer type being used in pcap or pcapng files for that traffic, the pcap/pcapng file isn't valid, and one 
shouldn't expect tcpdump or Wireshark or... to be able to handle it.

I.e., if

> > [somebody captures] the serial line traffic in pcap format

then, if they want it to be interpreted as mux27010 traffic, they must encapsulate the serial line traffic in the form 
described on

        https://tcpdump.org/linktypes/LINKTYPE_MUX27010.html

*before* they write it to the file.  If that means that reassembly must be done before writing to the file, that's the 
way it is.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe