Thank you. If that's the case, there should be a TCP segment following this TPKT packet with TPKT payload contained. But in fact, Eathereal didn't captured such a TCP segment.
________________________________
From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
Sent: Mon 10/6/2003 4:54 PM
To: #YANG YONG#
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Payload of TPKT is missing
On Mon, Oct 06, 2003 at 10:49:32AM +0800, #YANG YONG# wrote:
> When I captured a TPKT packet, ethereal said it contained a Q.931
> message, and the length was 200. But in fact ethereal captured nothing
> of the payload of the TPKT packet. The record is attached for your
> information. I wonder why.
Perhaps because you haven't turned on the "Allow subdissector to
desegment TCP streams" option, or the "Desegment all TPKT messages
spanning multiple TCP segments" option is turned off, and this TPKT
packet came from a VoIP implementation that puts out the TPKT header and
body in separate TCP segments (as I think Microsoft's NetMeeting stuff
does, for example)?
Select "Preferences" from the "Edit" menu, click on the "[+]" next to
"Protocols" in the dialog box that pops up in order to open up the list
of protocols, select "TCP", turn on the "Allow subdissector to desegment
TCP streams" option, then select "TPKT" and, if "Desegment all TPKT
message spanning multiple TCP segments" is turned off, turn it on. Then
click "OK".
If you want those settings to be the default whenever you run Ethereal
(at least on that machine, or any other machine where you have the same
home directory for UNIX or "profile directory" for Windows), click
"Save" before clicking "OK".