Wireshark-users: Re: [Wireshark-users] Out of sequence packets

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 26 Apr 2009 20:33:58 +0200
On Sun, Apr 26, 2009 at 10:13:30PM +1000, Martin Visser wrote:

> On Sun, Apr 26, 2009 at 7:50 PM, Matthieu Patou
> <mat+Informatique.Wireshark@xxxxxxxxx> wrote:
> 
> Some of the dissected protocols for instance HTTP also allow you to
> have visibility of the whole object, as long it is complete, even if
> it is made up of out of order or duplicate packets.

Which is true for every packet *except* the first packet of a PDU. If
that packet is received out-of-order, Wireshark is not able to dissect
that PDU as it is fed with faulty information.

This is the case I believe Matthieu was refering to :

> > reorder packets (ie. if you have sequence 1341 before sequence 1 then
> > you're caught).

I was looking at the TCP dissector this afternoon to see how easy it
would be to park a packet in the defragmentation queue when a previous
packet has been lost (due to out-of-order) and a new PDU was expected.
This should solve the issue (unless the packet was not out-of-order, but
really lost).

Unfortunately I was not yet able to find a way to do that. If anyone has
an idea, feel free :-)

Cheers,
   Sake