This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Query on tcp segment of a reassembled pdu option

0

I am aware of what this feature does but i would like to know more on when to enable this feature and when to disable it.

When i enable the tcp reassembly i am not seeing any HTTP 200 OK Responses but seeing tcp segment of reassembled pdu.

When i disable the tcp reassembly i am seeing HTTP 200 OK response.

As i told earlier i want to know more on when to enable and when to disable this option.

Thanks,

asked 08 Apr '13, 12:14

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 08 Apr '13, 13:11

Jasper's gravatar image

Jasper ♦♦
23.8k551284


One Answer:

2

You should see the HTTP 200 OK in the info column either way, but with reassembly enabled it is displayed in the last packet of the content, not the first (where it is in reality, if you check the payload)

My rule of thumb: disable TCP reassembly by default. Enable if you need to reconstruct payload content, e.g. for forensic analysis.

answered 08 Apr '13, 12:17

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks.As you mentioned i am seeing http 200 Ok in both cases.In case of tcp reassembly disabled the 200 OK packet size is 1502 but when it is enabled the 200 OK packet size is 712 bytes. Can you please clear me the reason behind this?

(08 Apr '13, 12:28) krishnayeddula
2

That's because the packet size is the size of the current packet, not of the reassembled higher layer PDU. And the last segment of a reassembled PDU is usually smaller than the others...

(08 Apr '13, 12:42) SYN-bit ♦♦

Got it.Thanks

(08 Apr '13, 12:45) krishnayeddula