This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark failed to reassemble out of orderd TCP packets?

0

I'm sending a GET request to a server and found the TCP packet contaning HTTP response is returned out of order. Example

As seen in the screenshot, TCP segments are reassembled to packet number 170. But that not enough to show the HTTP response in wireshark because packet 171 (and maybe the out of ordered packet number 167) are also parts of the response.

I want to know

  1. if this is a bug of wireshark or the result is expected?
  2. I want to reorder packet to make wireshark easier to analysis but It seems not possible to made it in wireshake. Is there a way to reorder the packet?

Here is the captured packets: captured packets

Thanks.

asked 22 Mar '17, 01:58

ainopara's gravatar image

ainopara
11115
accept rate: 0%

edited 22 Mar '17, 18:51

1

I think you have issues further back at packet 167 that implies a TCP segment is missing, unfortunately a screenshot (as usual) doesn't give enough information to determine for certain. Can you post the capture somewhere and provide a link to it?

(22 Mar '17, 03:23) grahamb ♦

One Answer:

1

Looking at the capture I think this could be reassembled. The packet numbers are different in the capture file provided then the image as it only includes this particular TCP stream, but inspecting gives:

  • Packet 11 is the last 5 bytes of the response, but the sequence number (8156) indicates some data is missing.
  • Packet 12 is the ACK for the data sent up to and including Packet 10.
  • Packet 13 is an SACK for the data in packet 11 and it shows the missing data required (ACK to SLE - 1 or 5793 to 8155)
  • Packets 14 & 15 are the missing TCP data.
  • Packet 16 is an SACK for packet 14 reporting the data in packet 15 is still missing.
  • Packet 17 is the ACK for packet 15.

So it would appear that all the data is available but failed to be reassembled. Worthy of an entry on the Wireshark Bugzilla, attaching the capture. Might not be easy to fix though.

answered 23 Mar '17, 05:03

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

For future reference, the issue was reported right here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13517

(12 Apr '17, 14:01) Lekensteyn