Wireshark-users: Re: [Wireshark-users] "TCP Segment of a reassembled PDU" from aNetApp filer

Date: Tue, 18 Mar 2008 22:08:39 -0400
>There's two questions here:
>
>	1) why does "TCP Segment of a reassembled PDU" happen at all?
>
>	2) why, in some cases, don't you eventually see the reassembled
PDU?
>
>The answer to 1) is "because some protocols running atop TCP either  
>put more than one of their PDUs in a TCP segment, with the last of the

>PDUs not fitting in the space left in the TCP segment that the TCP  
>implementation chooses to send, or have PDUs that are bigger than the  
>TCP segment that the TCP implementation chooses to send"; that means  
>that the PDU is split between more than one TCP segment, and Wireshark

>tries to reassemble that.
>
>At least one answer to 2) is "because, for some reason, the program  
>doing the packet capture didn't manage to capture all the segments  
>across which the PDU is split, so the reassembly can't complete".
>
>Try turning TCP reassembly off in the preferences for the TCP  
>dissector (that'll prevent reassembly being done for any protocol -  
>TCP reassembly requires the cooperation of the TCP dissector and the  
>dissector for the protocol running atop TCP, as TCP has no idea when  
>the PDUs for the protocol running atop it start and end), and see what

>NDMP packets it shows, if any.  Then see if there are any missing TCP  
>segments; that could be a networking problem, or could just mean that  
?whatever machine couldn't capture and save all the packets in the  
>conversation.

Thanks very much for this explanation, Guy.  I turned off TCP
reassembly, and Wireshark then reported the following for every other
packet from the NetApp: "Unreassembled Packet: NDMP".  So should I be
assuming that NetApp, as an efficiency, stuffs multiple PDUs into the
TCP segment, and the Wireshark NDMP dissector hasn't been trained to
decipher this?

Thanks!
tl