Menu
I opened a pcap in wireshark and it displays a lot of packets as "tcp segment of a reassembled pdu". How wireshark is able to determine which tcp packets are segments of a reassembled pdu ? I am not able to find any header field or anything else by which wireshark can determine this.
Any help will be greatly appreciated. THANKS !!!
619
what does "TCP segment of a reassembled PDU" mean? It means that Wireshark thinks the packet in question contains part of a packet (PDU - "Protocol Data Unit") for a protocol that runs on top of TCP. If the reassembly is successful, the TCP segment containing the last part of the packet will show the packet.
IP Reassembly. IP Reassembly is a feature in Wireshark and TShark to automatically reassemble all fragmented IP Datagrams into a full IP packet before calling the higher layer dissector.
These fragments look like IP packets in their own right and can traverse the network. They are reassembled when they reach their destination. It is up to the host receiving the fragmented packets to put the packets back together in the right order to make sense of the traffic it's receiving.
Sequence number is the field which helps in reassembly. Say you have data bytes 1-300 to send.
For instance they were divided into 3 segments of size 100 each i.e. first (1-100 byte number), second (101 - 200) and third (201-300). Now even if they are received out of order, sequence numbers won't change. So when reassembling data, you would know the original order of packets and hence wireshark can display the assembled packets.
If the SYN flag is clear (0), then this is the accumulated sequence number of the first data byte of this packet for the current session.
TCP
Remember, this is different from ip fragmentation and reassembly. IP header has fields to specify if there are fragments and if so, what is the fragment number of current packet.
199
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
