[Ethereal-users] "TCP Segment of a reassembled PDU" - clarification, please?

[Oliver Smith <oliver@xxxxxxx>]

I'm running Ethereal 0.99.0 under Windows, as well as 0.10.13 under Fedora Core 3. I'm attempting to diagnose some issues where some of our users' connections suddenly up and die rather abruptly. I'm getting some unusual feedback from Ethereal, particularly I'm seeing a large number of "TCP segment of a reassembled PDU" messages.

Some of these packets are, however, only 22 bytes. For instance, frame 3 is 54 bytes and frame 4 - the first listed as a reassembled PDU - is 76 bytes.

The actual dialog occuring is a simple client connecting to a server, handshaking, and then requesting packets of increasing sizes, and the result looks a bit like this (I can't export the actual packet capture as text, it tells me "The path to the file "" doesn't exist."). Capture performed *on* 192.168.0.130:

192.168.0.130   -> 209.144.109.141  TCP  [SYN] Seq=0 Len=0 MSS=1460
209.144.109.141 -> 192.168.0.130    TCP  [SYN,ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
192.168.0.130   -> 209.144.109.141  TCP  [ACK] Seq=1 Ack=1 Win=65535 Len=0
192.168.0.130   -> 209.144.109.141  TCP  [TCP segment of a reassembled PDU]
209.144.109.141 -> 192.168.0.130    TCP  [ACK] Seq=1 Ack=23 Win=5840 Len=0
  

Whereas if I disable the subdissector it looks more like this:

192.168.0.130   -> 209.144.109.141  TCP  [SYN] Seq=0 Len=0 MSS=1460
209.144.109.141 -> 192.168.0.130    TCP  [SYN,ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
192.168.0.130   -> 209.144.109.141  TCP  [ACK] Seq=1 Ack=1 Win=65535 Len=0
192.168.0.130   -> 209.144.109.141  TCP  [PSH,ACK] Seq=1 Ack=1 Win=65535 Len=22
209.144.109.141 -> 192.168.0.130    TCP  [ACK] Seq=1 Ack=23 Win=5840 Len=0
  

My question is this: Is something being fragmented by TCP or is this the result of multiple packets going into a single ethernet frame? I just find it a little odd that I'm seeing "reassembled pdu"s on data leaving 192.168.0.130 in a capture *on* 192.168.0.130 (a box running Windows XP).

- Oliver