Ethereal-users: RE: [Ethereal-users] "TCP Segment of a Reassembled PDU"vs. "Continuation or non-

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Feeny, Michael (TD&DS, Applications Infrastructure Svcs.)" <michael_feeny@xxxxxx>
Date: Tue, 18 Apr 2006 17:54:58 -0400
Excellent explanation!  

I run Ethereal from two different machines, and I just checked:  The
"reassembly" preferences you reference are set differently across the
two.

Thanx,
Michael

Michael Feeny

I2T  -  Application Integration Management

609-274-2761 (Office)

484-995-1745 (Mobile)

feenyman99 (AIM)


-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, April 18, 2006 1:52 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] "TCP Segment of a Reassembled PDU"vs.
"Continuation or non-HTTP traffic"

Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) wrote:

> I have 2 different trace files, each of which contains an HTTP "POST" 
> request that is split across 2 packets.  In one of the traces,
Ethereal 
> displays "TCP Segment of a Reassembled PDU" for the 1^st of these 2 
> packets, and in the other, it displays "Continuation or non-HTTP 
> traffic" for the 2^nd of the 2 packets.
> 
> Can someone explain the distinction?

"TCP Segment of a Reassembled PDU" means that Ethereal's doing 
reassembly, which means that

	1) TCP's "Allow subdissector to reassemble TCP streams"
preference is 
turned on;

	2) HTTP's reassembly preferences are turned on;

	3) the POST body is either not split across segments or has a 
Content-Length header (currently, HTTP bodies aren't reassembled if they

don't have a Content-Length header).

"Continuation or non-HTTP traffic means Ethereal's not doing reassembly.

  Unless you changed the preference settings between the two traces, it 
might be that the second POST doesn't have a Content-Length header.

> One difference in the 2 traces:  In the first trace, HTTP is sent over
a 
> non-standard TCP port (3139), and so I have to use "Analyze/Decode
as..." 
> to force Ethereal to interpret the traffic as HTTP.  Does that explain

> the difference in diagnostic messages?

Probably not - the HTTP code path should work the same in either case.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
--------------------------------------------------------

If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.     http://www.ml.com/email_terms/
--------------------------------------------------------