I opened a pcap in wireshark and it displays a lot of packets as "tcp segment of a reassembled pdu". How wireshark is able to determine which tcp packets are segments of a reassembled pdu ? I am not able to find any header field or anything else by which wireshark can determine this.
Any help will be greatly appreciated. THANKS !!!
Sequence number is the field which helps in reassembly. Say you have data bytes 1-300 to send.
For instance they were divided into 3 segments of size 100 each i.e. first (1-100 byte number), second (101 - 200) and third (201-300). Now even if they are received out of order, sequence numbers won't change. So when reassembling data, you would know the original order of packets and hence wireshark can display the assembled packets.
If the SYN flag is clear (0), then this is the accumulated sequence number of the first data byte of this packet for the current session.
Remember, this is different from ip fragmentation and reassembly. IP header has fields to specify if there are fragments and if so, what is the fragment number of current packet.
© 2022 - 2024 — McMap. All rights reserved.
