TCP segment of a reassembled PDU
Grab packet found a TCP segment of a reassembled PDU, search a blog, find some Bo friends of the article, very well solve my problem, then share
"TCP segment of a reassembled PDU" refers to not the IP layer of the Shard, IP shards in the Wireshark with "fragmented IP protocol" to identify. A detailed look, found that "TCP segment of a reassembled PDU" refers to the TCP layer after receiving the upper chunk of the packet decomposition into a paragraph after the issue. So there is a doubt that the TCP layer can completely send a large segment of the message to the IP layer, so that the IP layer to complete the segment, why the TCP layer to divide it? In fact, this is determined by the TCP MSS (Maximum Segment size, the maximum message length), TCP in the TCP header of the first message that initiates the connection through the MSS this option to inform the other side of the maximum message can receive (of course, this size is the size of TCP payload), This value on Ethernet is generally set to 1460, because the 1460Byte net charge +20byte TCP header +20byte IP Header = 1500 bytes, exactly in line with the link layer maximum message requirements.
How do you determine if a message is a "TCP segment" after it is received? If there are several messages with the same ACK sequence, and the sequence number of these messages are different, and the latter sequence number is the previous sequence, plus the previous message size plus 1, it must be TCP segment , it is not possible to determine when there is no ACK flag.
Today, using the Windows Lookup feature to find content in a shared folder on your network, you find that traffic is huge when you look for network files. Curious to catch the bag with Wireshark found in the Wireshark Info Bar There are a lot of "TCP segment of a reassembled PDU" prompt information. Puzzled Baidu a bit found that everyone is asking this question on the Internet and there is no good answer. Think of "TCP segment of a reassembled PDU" is just the wireshark of the message, then sniffer pro will give what kind of hint, with sniffer open the same trace found inside the hint "continuation of missing frame "and" continuation of frame XX "Now probably know what" TCP segment of a reassembled PDU "means, In fact, if the host responds to a query or command when it responds to a lot of data (information) that exceeds the maximum MSS of TCP, the main opportunity is to send multiple packets to transmit the data (note: These packets are not fragmented). For Wireshark, these packets that correspond to the same query command are labeled "TCP segment of a reassembled PDU"
Question, how does Wireshark recognize that multiple packets are responding to the same query packet? The Wireshark is identified by sequence number, which is the same as the value of the packet ACK numbers, and of course the numeric values are the same as the next sequence numbers in the query packet.
On the difference between TCP/UDP and IP maximum message length
Original link
TCP segment of a reassembled PDU "turn"