This is our old Q&A Site. Please post any new questions and answers at


I'm not sure if this is a bug or a feature, but it is definitely inconvenient: If data is split into several packets, Wireshark does not identify the protocol correctly. Continuation packets are always of the type TCP (or probably UDP where appropriate) instead of the higher protocol this tcp connection uses (for example HTTP or in our current case NCP). This causes problems with filters and statistics, for example a filter for "http" in the IO Graph of Wireshark will ignore all continuation packets. Thus if even moderately large files are transferred, the statistic is missing packets. The Graph shows a gap between the protocol and all packets and it is not clear which protocol is responsible for those packets. The same happens in the "Conversations" view.

Maybe I'm just missing the right option: I'm searching for an option to flag the protocol of continuation packets the same as the rest of the conversation. This would allow filters for protocols to work as expected. This of course would require to analyse the whole tcp conversation, not just the packet at hand. I already checked the settings of the relevant protocol, both "Reassemble NCP-over-TCP messages spanning multiple TCP segments" and "Reassemble fragmented NDS messages spanning multiple reply packets" are set to on (the default) as are the similar options for HTTP.

Is this behaviour intentional? Can it be changed?

Greetings Markus

asked 16 Jan '15, 00:54

Markus68's gravatar image

accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 16 Jan '15, 00:54

question was seen: 2,239 times

last updated: 16 Jan '15, 00:54

p​o​w​e​r​e​d by O​S​Q​A