Wireshark-users: Re: [Wireshark-users] How to get rid of "TCP segment of a reassembled PDU" messa

From: Grant Edwards <grante@xxxxxxxx>
Date: Wed, 26 Mar 2008 19:24:34 +0000 (UTC)
On 2008-03-26, DePriest, Jason R. <jrdepriest@xxxxxxxxx> wrote:
> On Wed, Mar 26, 2008 at 5:17 PM, Grant Edwards  wrote:

>> I'm tracing data in a TCP connection between two devices, and
>> about half way through the trace, wireshark stops displaying
>> packet info and just shows [TCP segment of a reassembled PDU].
>>
>> It's _not_ a "TCP segment of a reassembled PDU".  It's just a
>> stream of bytes.  I've told wireshard to not decode that TCP
>> stream but it still refuses to display packet info.  I think
>> it's getting confused by packets that aren't part of the TCP
>> stream in question.
>
> From the wiki
>=-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-==-=-=-=-=
> TCP Reassembly (http://wiki.wireshark.org/TCP_Reassembly)
>
> Wireshark supports reassembly of PDUs spanning multiple TCP segments
> for a large number of protocols implemented on top of TCP. These
> protocols include, but are not limited to, iSCSI, HTTP, DNS, Kerberos,
> CIFS, ONC-RPC etc. All in all probably something like 20 different
> protocols. The support to do this is very easy to add to Wireshark if
> required for new protocols, so if your favorite protocol is missing,
> please give the Wireshark developers a shout.

The problem is that the TCP stream isn't using any protocl.
There's no reason for wireshark to think there are any PDUs in
the stream.  IFAICT I've turned off decoding for all packets in
the TCP stream.

> Note that TCP Reassembly ONLY works if you capture the entire
> packet and if all the checksums for that packet are valid. If
> you use packet slicing and only capture parts of the packets
> OR if the packets have incorrect checksums, i.e. TCP Checksum
> Verification fails, then the packets will be ignored and
> reassembly will fail. (You can disable the TCP Checksum
> Verification test in preferences.)

There is no reassembly to be done.  It's just an arbitrary TCP
byte stream.  Packets are displayed fine for a hundred or two
packets, then it starts displaying the PDU message and never
stops.

> Are you dropping any packets?

No.

> TCP checksums can fail if your NIC is offloading the checksums.  Check
> your driver settings.

I am seeing TCP checksum failures in one direction, but the
PDU messages are for packets in the other direction.

-- 
Grant Edwards                   grante             Yow! Is it clean in other
                                  at               dimensions?
                               visi.com