Wireshark-users: Re: [Wireshark-users] "TCP Segment of a reassembled PDU" from a NetApp filer

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 18 Mar 2008 18:32:39 -0700

On Mar 18, 2008, at 6:22 PM, lemons_terry@xxxxxxx wrote:

I've read previous posts regarding "TCP Segment of a reassembled PDU", but I still can't figure out why it is happening in my environment.

There's two questions here:

	1) why does "TCP Segment of a reassembled PDU" happen at all?

	2) why, in some cases, don't you eventually see the reassembled PDU?

The answer to 1) is "because some protocols running atop TCP either put more than one of their PDUs in a TCP segment, with the last of the PDUs not fitting in the space left in the TCP segment that the TCP implementation chooses to send, or have PDUs that are bigger than the TCP segment that the TCP implementation chooses to send"; that means that the PDU is split between more than one TCP segment, and Wireshark tries to reassemble that.

At least one answer to 2) is "because, for some reason, the program doing the packet capture didn't manage to capture all the segments across which the PDU is split, so the reassembly can't complete".

Try turning TCP reassembly off in the preferences for the TCP dissector (that'll prevent reassembly being done for any protocol - TCP reassembly requires the cooperation of the TCP dissector and the dissector for the protocol running atop TCP, as TCP has no idea when the PDUs for the protocol running atop it start and end), and see what NDMP packets it shows, if any. Then see if there are any missing TCP segments; that could be a networking problem, or could just mean that whatever machine couldn't capture and save all the packets in the conversation.