Community support list for Wireshark ()

sean bzd | 8 Aug 2012 18:05

display filter to 'not see' TCP segment of a reassembled PDU packets

Hi Wireshark experts,

I'm looking at some traffic where there are a lot of "TCP segment of a reassembled PDU".

I want to look at the reassembled PDU ONLY and not the individual segments that made up the PDU. Is there any display filter I can use for this. I have the "Allow subdissector to reassemble TCP streams" checkbox checked.

Thanks,

Sean

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe

headers

Sake Blok | 10 Aug 2012 23:24

Re: display filter to 'not see' TCP segment of a reassembled PDU packets

On 8 aug 2012, at 18:05, sean bzd wrote:

I'm looking at some traffic where there are a lot of "TCP segment of a reassembled PDU".
I want to look at the reassembled PDU ONLY and not the individual segments that made up the PDU. Is there any display filter I can use for this. I have the "Allow subdissector to reassemble TCP streams" checkbox checked.

When you know the protocol, you can just filter on the higher layer protocol. So for http you cab filter with "http". You can also exclude the segments with "!tcp.reassembled_in", however, the first segment is still shown, which can be considered a bug.

Cheers,

Sake

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@...>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@...?subject=unsubscribe