>There's two questions here: > > 1) why does "TCP Segment of a reassembled PDU" happen at all? > > 2) why, in some cases, don't you eventually see the reassembled PDU? > >The answer to 1) is "because some protocols running atop TCP either >put more than one of their PDUs in a TCP segment, with the last of the
>PDUs not fitting in the space left in the TCP segment that the TCP >implementation chooses to send, or have PDUs that are bigger than the >TCP segment that the TCP implementation chooses to send"; that means >that the PDU is split between more than one TCP segment, and Wireshark >tries to reassemble that. > >At least one answer to 2) is "because, for some reason, the program >doing the packet capture didn't manage to capture all the segments >across which the PDU is split, so the reassembly can't complete". > >Try turning TCP reassembly off in the preferences for the TCP >dissector (that'll prevent reassembly being done for any protocol - >TCP reassembly requires the cooperation of the TCP dissector and the >dissector for the protocol running atop TCP, as TCP has no idea when >the PDUs for the protocol running atop it start and end), and see what >NDMP packets it shows, if any. Then see if there are any missing TCP >segments; that could be a networking problem, or could just mean that ?whatever machine couldn't capture and save all the packets in the >conversation. Thanks very much for this explanation, Guy. I turned off TCP reassembly, and Wireshark then reported the following for every other packet from the NetApp: "Unreassembled Packet: NDMP". So should I be assuming that NetApp, as an efficiency, stuffs multiple PDUs into the TCP segment, and the Wireshark NDMP dissector hasn't been trained to decipher this? Thanks! tl _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
