>There's two questions here:
>
> 1) why does "TCP Segment of a reassembled PDU" happen at all?
>
> 2) why, in some cases, don't you eventually see the reassembled
PDU?
>
>The answer to 1) is "because some protocols running atop TCP either
>put more than one of their PDUs in a TCP segment, with the last of the
>PDUs not fitting in the space left in the TCP segment that the TCP
>implementation chooses to send, or have PDUs that are bigger than the
>TCP segment that the TCP implementation chooses to send"; that means
>that the PDU is split between more than one TCP segment, and Wireshark
>tries to reassemble that.
>
>At least one answer to 2) is "because, for some reason, the program
>doing the packet capture didn't manage to capture all the segments
>across which the PDU is split, so the reassembly can't complete".
>
>Try turning TCP reassembly off in the preferences for the TCP
>dissector (that'll prevent reassembly being done for any protocol -
>TCP reassembly requires the cooperation of the TCP dissector and the
>dissector for the protocol running atop TCP, as TCP has no idea when
>the PDUs for the protocol running atop it start and end), and see what
>NDMP packets it shows, if any. Then see if there are any missing TCP
>segments; that could be a networking problem, or could just mean that
?whatever machine couldn't capture and save all the packets in the
>conversation.
Thanks very much for this explanation, Guy. I turned off TCP
reassembly, and Wireshark then reported the following for every other
packet from the NetApp: "Unreassembled Packet: NDMP". So should I be
assuming that NetApp, as an efficiency, stuffs multiple PDUs into the
TCP segment, and the Wireshark NDMP dissector hasn't been trained to
decipher this?
Thanks!
tl