On Jul 17, 2009, at 11:59 AM, sean bzd wrote:
TCP experts,
I'm trying to understand some TCP packets sent by my application that
I captured through wireshark. I noticed that multiple send() {winsock
API) calls are being combined into a single TCP frame.
Yes. TCP is a byte-stream protocol, with no notion of packet
boundaries, so the application receiving those packets will need to be
able to handle getting multiple packets from a single read.
My custom
plugin doesn't seem to be able to parse this properly. Is there a
setting in wireshark to show these separately?
No.
OR is there something
in the plugin I can do to separate the frame into multiple app
packets??
Possibly. If your app packets either
1) have a fixed length
or
2) have some way where, after reading the first part of the app
packet, you can determine from that information how long the total
packet is
(which you might need anyway, in order to allow the application
receiving the packets to divide the byte stream it gets into app
packets) you can use tcp_dissect_pdus() in your dissector.
The otherway around - i.e a large app packet split up into multiple
tcp frames is working fine and I had to do something special in my
plugin to handle this. (reassembled PDUs).
tcp_dissect_pdus() will also handle that for you.