This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“TCP segment of a reassembled PDU” causes wrong protocol detection (TCP instead of NCP)

0

Hello,

I'm not sure if this is a bug or a feature, but it is definitely inconvenient: If data is split into several packets, Wireshark does not identify the protocol correctly. Continuation packets are always of the type TCP (or probably UDP where appropriate) instead of the higher protocol this tcp connection uses (for example HTTP or in our current case NCP). This causes problems with filters and statistics, for example a filter for "http" in the IO Graph of Wireshark will ignore all continuation packets. Thus if even moderately large files are transferred, the statistic is missing packets. The Graph shows a gap between the protocol and all packets and it is not clear which protocol is responsible for those packets. The same happens in the "Conversations" view.

Maybe I'm just missing the right option: I'm searching for an option to flag the protocol of continuation packets the same as the rest of the conversation. This would allow filters for protocols to work as expected. This of course would require to analyse the whole tcp conversation, not just the packet at hand. I already checked the settings of the relevant protocol, both "Reassemble NCP-over-TCP messages spanning multiple TCP segments" and "Reassemble fragmented NDS messages spanning multiple reply packets" are set to on (the default) as are the similar options for HTTP.

Is this behaviour intentional? Can it be changed?

Greetings Markus

asked 16 Jan '15, 00:54

Markus68's gravatar image

Markus68
6112
accept rate: 0%