Hi,
A long standing issue is that the TCP dissector is unable to reassemble
out-of-order segments, resulting in missing HTTP objects and breaking
TLS decryption (among other things).
In order to tackle this, I wrote a patch to buffer segments until all
missing segments are found: https://code.wireshark.org/review/27943
(Reviews are welcome, especially for the User's Guide changes and the
idea itself.)
This behavior is currently disabled by default and put behind an
additional preference. I was wondering though if you would be okay with
enabling correct out-of-order handling by default.
I could also make it depend on the "Allow subdissector to reassemble TCP
streams" preference if desired. Then users who are only doing TCP
analysis do not have to disable an additional preference.
--
Kind regards,
Peter Wu
https://lekensteyn.nl