Wireshark-users: Re: [Wireshark-users] Question about TCP buffering and Wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 17 Jul 2009 12:14:26 -0700

On Jul 17, 2009, at 11:59 AM, sean bzd wrote:

TCP experts,
I'm trying to understand some TCP packets sent by my application that
I captured through wireshark. I noticed that multiple send() {winsock
API) calls are being combined into a single TCP frame.

Yes. TCP is a byte-stream protocol, with no notion of packet boundaries, so the application receiving those packets will need to be able to handle getting multiple packets from a single read.

My custom
plugin doesn't seem to be able to parse this properly. Is there a
setting in wireshark to show these separately?

No.

OR is there something
in the plugin I can do to separate the frame into multiple app
packets??

Possibly.  If your app packets either

	1) have a fixed length

or

2) have some way where, after reading the first part of the app packet, you can determine from that information how long the total packet is

(which you might need anyway, in order to allow the application receiving the packets to divide the byte stream it gets into app packets) you can use tcp_dissect_pdus() in your dissector.

The otherway around - i.e a large app packet split up into multiple
tcp frames is working fine and I had to do something special in my
plugin to handle this. (reassembled PDUs).

tcp_dissect_pdus() will also handle that for you.