On Mar 18, 2008, at 6:22 PM, lemons_terry@xxxxxxx wrote:
I've read previous posts regarding "TCP Segment of a reassembled
PDU", but I still can't figure out why it is happening in my
environment.
There's two questions here:
1) why does "TCP Segment of a reassembled PDU" happen at all?
2) why, in some cases, don't you eventually see the reassembled PDU?
The answer to 1) is "because some protocols running atop TCP either
put more than one of their PDUs in a TCP segment, with the last of the
PDUs not fitting in the space left in the TCP segment that the TCP
implementation chooses to send, or have PDUs that are bigger than the
TCP segment that the TCP implementation chooses to send"; that means
that the PDU is split between more than one TCP segment, and Wireshark
tries to reassemble that.
At least one answer to 2) is "because, for some reason, the program
doing the packet capture didn't manage to capture all the segments
across which the PDU is split, so the reassembly can't complete".
Try turning TCP reassembly off in the preferences for the TCP
dissector (that'll prevent reassembly being done for any protocol -
TCP reassembly requires the cooperation of the TCP dissector and the
dissector for the protocol running atop TCP, as TCP has no idea when
the PDUs for the protocol running atop it start and end), and see what
NDMP packets it shows, if any. Then see if there are any missing TCP
segments; that could be a networking problem, or could just mean that
whatever machine couldn't capture and save all the packets in the
conversation.