Wireshark · Wireshark-dev: [Wireshark-dev] Question about reassembled fragmentation

Wireshark-dev: [Wireshark-dev] Question about reassembled fragmentation

From: "Qmo (Yi-Sheng)" <qmosheng@xxxxxxxxx>

Date: Wed, 11 Nov 2009 16:20:53 +0800

Dear all,

I've writen a frame decoder which decodes the cap file captured by Wireshark.
Now I meet a question about packet reassembled.
When I decode a TCP frame, it was partitioned into 3 packets. In wire shark, it seems like:

   No.     Time          Source              Destination                    Protocol                      Info
132                    10.1.123.5           10.80.111.2                      TCP                     [TCP segment of a reassembled PDU]
133                    10.1.123.5           10.80.111.2                      TCP                     [TCP segment of a reassembled PDU]
134                    10.1.123.5           10.80.111.2                      HTTP                   HTTP/1.1 200 OK   (GIF89a)

I want to decode the HTTP packet, but it involves the three packets.
In Wireshark "Packet bytes Pane", the packet No. 134 shows
[Reassembled TCP Segments (1938 bytes): #132(272) #133(1460) #134(206) ]
     [Frame: 132 , payload: 0-271]
     [Frame: 133 , payload: 272-1731]
     [Frame: 134, payload:1732-1937]

How do Wireshark know this infomation via the cap file?
I've seen the "Packet bytes Pane" about packet No.134, it seems no infomation about this.
If we don't know the packet No. about all assembled packet, we can't decode them.
Can anyone help me? Thank you very much!!

Best Regards,
Qmo

Follow-Ups:
- Re: [Wireshark-dev] Question about reassembled fragmentation
  - From: Guy Harris

Prev by Date: [Wireshark-dev] buildbot failure in Wireshark 1.2 on OSX-10.5-ppc
Next by Date: Re: [Wireshark-dev] Question about reassembled fragmentation
Previous by thread: Re: [Wireshark-dev] NBAP -> RRC Help
Next by thread: Re: [Wireshark-dev] Question about reassembled fragmentation
Index(es):
- Date
- Thread