This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Enabling reassembly of TCP packets

1

According to this guide:

https://www.wireshark.org/docs/wsug_html_chunked/AppMessages.html

you can enable TCP packet reassembly through the UI with Edit>Preferences. But I didn't see anything that would suggest that aside from "Allow subdissector to reassemble TCP stream" in the Protocols>TCP panel.

But according to this doc:

http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html

you can do it through your code with the tcp_dissect_pdus function.

I would rather do it through it the UI as it would be more convenient. Anyone how I can do that?

asked 11 Feb '11, 15:58

Rodayo's gravatar image

Rodayo
61111115
accept rate: 0%

2 Answers:

2

To clarify a bit:

Reassembly of packets for protocols running on top of TCP requires that:

  1. The dissector for the protocol running on top of TCP support it - for some protocols, using tcp_dissect_pdus() in the dissector can do that (but not for all protocols);
  2. If that dissector has a preference to control whether to do reassembly of packets, that preference is set to "do reassembly";
  3. The "Allow subdisector to reassemble TCP stream" preference for TCP is set to "allow".

If the first of those is already true, you can do it through the UI, by turning on the "Allow subdisector to reassemble TCP stream" preference and, if the dissector in question has a preference to control whether to do reassembly, turning that preference on as well.

If the first of those is not already true, either you or somebody else will have to modify the dissector to support reassembly; once that's done, reassembly could be controlled through the UI.

answered 13 Feb '11, 13:19

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I figured that was probably the case. But like you said, I've added the reassembly code to my source and it was already enabled through the UI.

But the code doesn't actually change anything. The full data is still being split across multiple packets...

(14 Feb '11, 10:20) Rodayo

1

TCP packet reassembly is in fact controlled through the "Allow subdisector to reassemble TCP stream" in the TCP protocol preferences, if that's what you're asking.

Using "Edit" -> "Preferences" is a little too much clicking work for me though - if you're running Wireshark 1.2.x or later you can just select a frame containing TCP headers, select the "Transmission Control Protocol" header line in the decode and use the popup menu where you find the same settings listed in the "Protocol Settings" submenu. That way you can access all protocol settings a lot faster than always going into the preferences dialog.

The third way would be to create different profiles, one with reassembly enabled and one with reassembly disabled.

answered 12 Feb '11, 03:28

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

Reassembly is only possible if the protocol running on top of TCP allows it e.g thetre is code in the dissector to handle reassembly as the TCP dissector has no notion about the content of the TCP payload.

(12 Feb '11, 04:03) Anders ♦

True, good additional info :-)

(12 Feb '11, 04:16) Jasper ♦♦