Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




7.6. Packet Reassembling

7.6.1. What is it?

Network protocols often need to transport large chunks of data, which are complete in themselves, e.g. when transferring a file. The underlying protocol might not be able to handle that chunk size (e.g. limitation of the network packet size), or is stream-based like TCP, which doesn't know data chunks at all.

In that case the network protocol has to handle the chunk boundaries itself and (if required) spread the data over multiple packets. It obviously also needs a mechanism to determine the chunk boundaries on the receiving side.

[Tip] Tip!

Wireshark calls this mechanism reassembling, although a specific protocol specification might use a different term for this (e.g. desegmentation, defragmentation, ...).

7.6.2. How Wireshark handles it

For some of the network protocols Wireshark knows of, a mechanism is implemented to find, decode and display these chunks of data. Wireshark will try to find the corresponding packets of this chunk, and will show the combined data as additional pages in the "Packet Bytes" pane (for information about this pane, see Section 3.18, “The "Packet Bytes" pane”).

Figure 7.2. The "Packet Bytes" pane with a reassembled tab

The "Packet Bytes" pane with a reassembled tab

[Note] Note!

Reassembling might take place at several protocol layers, so it's possible that multiple tabs in the "Packet Bytes" pane appear.

[Note] Note!

You will find the reassembled data in the last packet of the chunk.

An example: In a HTTP GET response, the requested data (e.g. an HTML page) is returned. Wireshark will show the hex dump of the data in a new tab "Uncompressed entity body" in the "Packet Bytes" pane.

Reassembling is enabled in the preferences by default. The defaults were changed from disabled to enabled in September 2005. If you created your preference settings before this date, you might look if reassembling is actually enabled, as it can be extremely helpful while analyzing network packets.

The enabling or disabling of the reassemble settings of a protocol typically requires two things:

  1. the lower level protocol (e.g., TCP) must support reassembly. Often this reassembly can be enabled or disabled via the protocol preferences.

  2. the higher level protocol (e.g., HTTP) must use the reassembly mechanism to reassemble fragmented protocol data. This too can often be enabled or disabled via the protocol preferences.

The tooltip of the higher level protocol setting will notify you if and which lower level protocol setting also has to be considered.

  Published under the terms fo the GNU General Public License Design by Interspire