This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is the output complete after omitting [TCP segment of reassembled PDU]?

0

If the tshark -r dumpfile output contains the type [TCP segment of a reassembled PDU], as in

81 3.164109000 4.5.6.7 -> 12.13.14.15 TLSv1.2 609 Application Data
83 3.164523000 4.5.6.7 -> 12.13.14.15 TCP 2802 [TCP segment of a reassembled PDU]
85 3.277723000 4.5.6.7 -> 12.13.14.15 TLSv1.2 4170 Application Data

it is clear that this means several TCP segments containing an application-level PDU (in this case, TLSv1.2).

If it is omitted from the output (via further processing, f.ex. grep), does the rest still contain all the information about the flows, or not?

In other words, can one see from the remaining lines (here lines 81 and 85), how much (in this case TLS) data flowed from whom to whom?

asked 21 Oct '15, 08:43

user1234's gravatar image

user1234
56237
accept rate: 50%

edited 23 Oct '15, 06:12


One Answer:

1

If it is omitted from the output,

I'm not sure what you mean by that (what is 'it'), but to answer your question:

does the trace still contain all the information about the flows, or not?

It depends mainly on the following conditions (at least):

  • did you capture all flows (capture filters)
  • did you experience packet loss (on the line, within the capture system)

So, if there is no '[TCP segment of a reassembled PDU]' and none of the conditions above are true, you can still have the full TCP session data in the pcap file. It means that it was not necessary for the application dissector to reassemble several TCP frames to get all required application data.

I hope I got your question right !?!

Regards
Kurt

answered 21 Oct '15, 09:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Oct '15, 09:31

Thank you very much so far. I captured all flows before (via tshark -w) and did not experience packet loss. The question is about the output of tshark -r, which parses a pcap file. Regards

(21 Oct '15, 09:47) user1234

The question is about the output of tshark -r, which parses a pcap file.

can you please elaborate? What is your question regarding the output of tshark? Maybe an example helps to understand what you need.

(21 Oct '15, 13:02) Kurt Knochner ♦

In order to analyze packet data (https://en.wikipedia.org/wiki/Traffic_analysis), it helps to remove redundant messages, such as ACKs, ARP requests, etc.

Is line 83 redundant, or does it contain relevant information? Do the 4170 segments of line 85 contain the 2802 of line 83?

(22 Oct '15, 02:47) user1234

Is line 83 redundant, or does it contain relevant information?

It depends on what you want to analyze. If it's the TCP behavior (SEQ, ACK), then it's relevant. If you want to decrpyt the payload, it's relevant. If you want to count the transmitted bytes, it might be relevant, but you can also deduce that from the SEQ/ACK numbers. In other cases it might be irrelevant.

it helps to remove redundant messages, such as ACKs, ARP requests, etc.

ACKs are not "redundant". Duplicate ACKs are redundant.

In order to analyze packet data

What kind of analysis do you need, where regular ACKs would be a problem?

(22 Oct '15, 07:09) Kurt Knochner ♦

What kind of analysis do you need, where regular ACKs would be a problem?

I need to analyse the TLS stream, which packets are sent and received, and in what order.

(23 Oct '15, 05:37) user1234
1

well, then you can't omit those frames, because they are part of the TCP/TLS conversation.

(23 Oct '15, 06:04) Kurt Knochner ♦
showing 5 of 6 show 1 more comments