I'm running Ethereal 0.99.0 under Windows, as well as 0.10.13 under
Fedora Core 3. I'm attempting to diagnose some issues where some of our
users' connections suddenly up and die rather abruptly. I'm getting
some unusual feedback from Ethereal, particularly I'm seeing a large
number of "TCP segment of a reassembled PDU" messages.
Some of these packets are, however, only 22 bytes. For instance, frame
3 is 54 bytes and frame 4 - the first listed as a reassembled PDU - is
76 bytes.
The actual dialog occuring is a simple client connecting to a server,
handshaking, and then requesting packets of increasing sizes, and the
result looks a bit like this (I can't export the actual packet capture
as text, it tells me "The path to the file "" doesn't exist."). Capture
performed *on* 192.168.0.130:
192.168.0.130 -> 209.144.109.141 TCP [SYN] Seq=0 Len=0 MSS=1460
209.144.109.141 -> 192.168.0.130 TCP [SYN,ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
192.168.0.130 -> 209.144.109.141 TCP [ACK] Seq=1 Ack=1 Win=65535 Len=0
192.168.0.130 -> 209.144.109.141 TCP [TCP segment of a reassembled PDU]
209.144.109.141 -> 192.168.0.130 TCP [ACK] Seq=1 Ack=23 Win=5840 Len=0
Whereas if I disable the subdissector it looks more like this:
192.168.0.130 -> 209.144.109.141 TCP [SYN] Seq=0 Len=0 MSS=1460
209.144.109.141 -> 192.168.0.130 TCP [SYN,ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
192.168.0.130 -> 209.144.109.141 TCP [ACK] Seq=1 Ack=1 Win=65535 Len=0
192.168.0.130 -> 209.144.109.141 TCP [PSH,ACK] Seq=1 Ack=1 Win=65535 Len=22
209.144.109.141 -> 192.168.0.130 TCP [ACK] Seq=1 Ack=23 Win=5840 Len=0
My question is this: Is something being fragmented by TCP or is this
the result of multiple packets going into a single ethernet frame? I
just find it a little odd that I'm seeing "reassembled pdu"s on data
leaving 192.168.0.130 in a capture *on* 192.168.0.130 (a box running
Windows XP).
- Oliver
|
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users