Revision history  [back]

As Anders' comment suggested, there is a preference setting tcp.reassemble_out_of_orderthat defaults to False on installation. The preference file is modified by the wireshark gui, this caused my windows cmd tshark to reassemble the out-of-order segments, as I ticked it when I was reading the file on the gui. In linux tshark (without a gui in my case) however you need to overwrite this parameter when running the command like this:

tshark -o tcp.reassemble_out_of_order:TRUE -r ooo.pcap -T fields -e frame.protocols frame.number==650