Wireshark-dev: Re: [Wireshark-dev] Question about reassembled fragmentation

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 11 Nov 2009 00:25:10 -0800

On Nov 11, 2009, at 12:20 AM, Qmo (Yi-Sheng) wrote:

I want to decode the HTTP packet, but it involves the three packets.
In Wireshark "Packet bytes Pane", the packet No. 134 shows
[Reassembled TCP Segments (1938 bytes): #132(272) #133(1460) #134(206) ]
     [Frame: 132 , payload: 0-271]
     [Frame: 133 , payload: 272-1731]
     [Frame: 134,  payload:1732-1937]

How do Wireshark know this infomation via the cap file?

Because it knows what HTTP responses look like - a Status-Line, a bunch of {general,response,entity}-headers, a blank line, and a response body, with the latter terminated either by the byte count from the headers or by closing the connection - so it accumulates the contents of TCP segments until it's seen all of that.