Ethereal-users: [Ethereal-users] Re: Reassembled PDU's

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Thu, 2 Mar 2006 09:38:12 +0000
expand the TCP layer for those packets.

i am sure that the packets do contain TCP and a higher-layer PDU that
spans multiple tcp segments.

there should be a field inside the tcp layer that tells you in which
packet the full pdu is reassembled in.



you can disable tcp reassembly in the preferences since it does eat
quite a lot of memory.



the DF flag is in the IP layer and controls IP fragmentation   wich is
only used really for UDP (not tcp) packets larger than the MTU.

most TCP stacks always set the DF bit   since TCP wants to do its own
"segmentation" of data instead of relying on the (to TCP, inferior and
redundant)  fragment feature of IP.




On 3/2/06, Danny Brett <danny@xxxxxxxxxx> wrote:
> Hi LEGO,
>
> Sorry, should've mentioned that I've already looked at MTU being the
> problem.
>
> I set the max MTU on the server to 1350 to allow for the extra
> header/data that was added on. This seems to be working correctly as the
> max frame size I'm seeing is now 1350.
>
> What confuses me is that the 'reassembled PDU' packets are coming from
> the server at source, ie directly from the server before they hit the
> router.
>
> If the packets *are* fragmented (which is what I don't fully understand,
> the DF flag is set but Ethereal reports them as a 'reassembled PDU')
> then it seems that they are being fragmented by the server. I'm really
> looking for an explanation of 'reassembled PDU' so I can understand what
> I'm seeing.
>
> Thanks,
> DB
>
> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of LEGO
> Sent: 02 March 2006 03:11
> To: Ethereal user support
> Subject: Re: [Ethereal-users] Reassembled PDU's
>
> VPN routers usually do some kind of tunnelling, which uses a part of
> the payload of the packet so a full packet from the server might not
> fit into a single packet after the router:
>
> S --(1500)-->FW--(1500)-->R--(2 frags: (1500 - 20) + (20) )-->R--(2
> fragmented packets)-->C
>
> You could try reducing the MTU of the server (and/or the FW depending
> which role it plays) to something the Encapsulated tunnel can handle.
>
> S --(1480)-->FW--(1480)-->R--(1480)-->R--(1480)-->C
>
>
> On 3/1/06, Danny Brett <danny@xxxxxxxxxx> wrote:
> >
> >
> >
> > Hi all,
> >
> >
> >
> > I'm monitoring a problem application and am seeing a lot of
> 'reassembled
> > PDU' frames from the server back to the client.
> >
> >
> >
> > The network looks like this:
> >
> >
> >
> > Server --- Firewall --- VPN Router --- WAN --- VPN Router --- Client
> >
> >
> >
> > I'm monitoring between the firewall and the router and/or server and
> > firewall.
> >
> >
> >
> > These frames are not at the maximum MTU size, some are as small as 60
> bytes.
> > Am I right in thinking the 'reassembled PDU' message is stating that
> the
> > frame is part of a larger segment or that this a fragmented frame?
> >
> >
> >
> > I think I understand what's going on but thought I would call on the
> wisdom
> > of ethereal-users to help me out! :o)
> >
> >
> >
> > Thanks.
> >
> > DB
>
>
> The above information is confidential to the addressee and may be
> privileged. Unauthorised access and use is prohibited. Internet
> communications are not secure and therefore this Company does not accept
> legal responsibility for the contents of this message. If you are not the
> intended recipient, any disclosure, copying, distribution, or any action
> taken or omitted to be taken in reliance on it, is prohibited and may be
> unlawful. The sender does not accept any responsibility for viruses and it
> is your responsibility to scan the email and any attachments.
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>