Wireshark-users: Re: [Wireshark-users] TCP segment of a reassembled PDU

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 6 Jun 2008 09:29:54 +0200
On Thu, Jun 05, 2008 at 08:19:40PM -0700, Vishal Study wrote:
> 
> Ethereal is showing lot of packets with "TCP segment of a reassembled
> PDU" in Info field.
> 
> Which of the following is true:
> 
> - Is the received packet IP-fragmented? I don't think so as IP
> flags/fragment-offset is all 0s.

Indeed, the message "TCP segment of a reassembled PDU" has nothing to 
do with IP fragmentation (however, this TCP segment may in its turn be
IP fragmented)

> - Is this an TCP fragmented packet? I don't pkts coming out of order,
> so don't think so.

Out-of-order packets are not related to TCP segmentation. The 
reassembly does not refer to putting the received segments in the
right order before passing the data to the upper layer. But...

> - Or is this part of a bigger application packet that has multiple TCP
> pkts (and all with the same Info:..TCP segment of a reassembled PDU).

YES! The message means that TCP handed of the dissection to a higher
layer protocol dissector. This dissector told the TCP dissector to
collect multiple TCP segment to construct one PDU. If all goes well,
the packet that contains the lasat part of the application PDU will
have full dissection of the application protocol. If this does
not happen, please file a bug on http://bugs.wireshark.org and
attach the capture file of that particular tcp session.

You can disable the reassembly of TCP segments by unchecking the
"Allow subdissector to desegment TCP streams" in the TCP protocol
preferences. That way, all parts of the application PDU will be 
displayed on their own.

Hope this helps,
Cheers,
    Sake