On Sun, Apr 26, 2009 at 10:13:30PM +1000, Martin Visser wrote:
> On Sun, Apr 26, 2009 at 7:50 PM, Matthieu Patou
> <mat+Informatique.Wireshark@xxxxxxxxx> wrote:
>
> Some of the dissected protocols for instance HTTP also allow you to
> have visibility of the whole object, as long it is complete, even if
> it is made up of out of order or duplicate packets.
Which is true for every packet *except* the first packet of a PDU. If
that packet is received out-of-order, Wireshark is not able to dissect
that PDU as it is fed with faulty information.
This is the case I believe Matthieu was refering to :
> > reorder packets (ie. if you have sequence 1341 before sequence 1 then
> > you're caught).
I was looking at the TCP dissector this afternoon to see how easy it
would be to park a packet in the defragmentation queue when a previous
packet has been lost (due to out-of-order) and a new PDU was expected.
This should solve the issue (unless the packet was not out-of-order, but
really lost).
Unfortunately I was not yet able to find a way to do that. If anyone has
an idea, feel free :-)
Cheers,
Sake