On Feb 11, 2010, at 2:31 AM, Salman Malik wrote:
> I wanted to ask: how does wireshark detect segments of TCP ? I mean which field does it camp on to detect if the last TCP segment has arrived ?
As Olivier noted, there is, and can be, no such field; the TCP dissector and the dissector for the protocol running atop TCP have to cooperate to perform reassembly.
> Actually I'm working with some GTP traffic,
Presumably this is the GSM/3GPP GTP protocol; at least according to 3GPP TS 09.60 version 7.8.0 Release 1998/ETSI TS 101 347 V7.8.0 (2001-09), a GTP message has a 2-octet length field, giving the length of the message (not counting the fixed-length 20-octet header), so it appears that it could use tcp_dissect_pdus() for GTP-over-TCP.
However, it doesn't, so:
> when I filter it for m-send-req message (used in mms transaction flow) and try to save it in a separate pcap, I don't see the packet (primarily because the packet consisted of two TCP segments, first of which was not shown after the application of filter and thus is shown as "continuation or non-http traffic") .
...that won't work.
Note, though, that, if we *do* implement reassembly, only one of the TCP segments will be matched by the filter - the one containing the last octet of the GTP message in question - so saving the message to a file will require that you do more work to show all the TCP segments that contain data from the message.
> Someone help please !
If you can file a bug in the Wireshark bugzilla, asking that we implement reassembly for GTP-over-TCP, and attach a capture file with a GTP message split over multiple TCP segments, so that we can test any fix we make, that would be best.