Is there a way to display the payload data from a Wireshark trace so as to re-sequence it (to get rid of out-of-order errors). We need to determine exactly what the application sees AFTER the packets associated with a given TCP stream have been put into proper sequence. We could correlate the sequence numbers manually, but were hoping for some automated way to accomplish what we need. Follow TCP stream apparently displays the data as it was seen on the network, not as the app process it once re-ordered. asked 21 Jun '11, 09:51  jowimi |
One Answer:
Follow TCP stream does just that, it reorders data according to sequence numbers and will put those in the output. The only reason for that to be messed up that I can imagine is when out-of-order packets are seen while both endpoints are sending data at the same time. Are you able to share the tracefile to have a look whether Follow TCP stream is indeed behaving as expected (which it does not seem to do on your tracefile)? answered 21 Jun '11, 14:07  SYN-bit ♦♦ |
According to the Wireshark documentation at http://www.wireshark.org/docs/wsug_html/#ChAdvFollowTCPSection,
[The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue...]
The "same sequence as it appeared on the network" is somewhat misleading in that it implies that packets appear in received sequence, not in sequence number sequence. I'll assume you're correct.
Thanks much for your response.
P.S. I can't share the trace file as it contains live patient data