Grant Edwards wrote:
I'm tracing data in a TCP connection between two devices, and
about half way through the trace, wireshark stops displaying
packet info and just shows [TCP segment of a reassembled PDU].
It's _not_ a "TCP segment of a reassembled PDU". It's just a
stream of bytes.
To what does "it" refer? The entire TCP connection is the stream of
bytes; individual packets are what are reported as TCP segments of a
reassembled PDU.
The protocol Wireshark thinks the connection is running atop TCP is done
for which it does reassembly; it appears to think that a packet
requiring reassembly is in the stream, but, for whatever reason -
perhaps TCP segments that weren't captured, or perhaps a bug - can't
finish the reassembly process for that packet.
Try turning the reassembly option off for that protocol (if it has such
an option in the preferences) or for TCP as a whole.
Could you file a bug on this, and attach a capture that shows the
problem, so, if there *is* a bug (rather than a missing packet), we can
try to fix it? (Even if there is a missing packet, it might be possible
to get the reassembly code to handle that better.)
I've told wireshard to not decode that TCP
stream
What do you mean by "not decode"?
but it still refuses to display packet info. I think
it's getting confused by packets that aren't part of the TCP
stream in question.
If they're present in the capture but not part of the stream, that won't
affect the reassembly (unless there's a bug in the TCP reassembly code).