I am little confused about this reassembly option in wireshark.What exactly we achieve by enabling/disabling this option? asked 08 May '13, 09:33  krishnayeddula |
One Answer:
Reassembly means that Wireshark will gather all TCP (or whatever protocol the reassembly is used for, but it's usually TCP) segments that are part of a request or answer and combine them for the next layer dissector. Think of an HTTP page being transmitted - it will not fit into one single packet in most cases, so it spans multiple TCP segments. The HTTP dissector needs the whole content in one piece, not just single segments, so TCP can assemble all segments into the complete HTTP answer and have the dissector take a look at the result instead. Reassembly in my opinion is useful for content reconstruction, but not so much when troubleshooting timing behavior and other issues. So I usually have TCP reassembly turned off and only turn it on when I need to take a look at the content that was transferred. answered 08 May '13, 20:33  Jasper ♦♦ |
Thanks Jasper! Understood/