First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is [TCP segment of a reassembled PDU] an issue?

  • retag add tags

Is [TCP segment of a reassembled PDU] an issue? I have am seeing a TLS handshake packet [ClientHello] coming in, with the [ACK]going out followed by 4 packets from the server with a len of 2788 (these have the [TCP segment of reassembled PDU] tag) that upstream is being split into 8 packets (also with the [TCP segment of reassembled PDU] tag) of 1424 each followed by a combined TLS handshake paket with [ServerHello, Certificate, ServerKeyExchange, CertificateRequest, ServerHelloDone] all in the same packet (len 1295).

In some cases, we are seeing a [FIN,ACK] return from the client instead of the expected [Certificate, ClientKeyExchange, CertificateVerify, ChangeCipherSpec, EncryptedHandshakeMessage].

Appreciate any insight that can be offered!

walkawaze's avatar
1
walkawaze
asked 2023-08-29 20:49:17 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you share the PCAP? Also be aware that if you capture on the server you may see larger packet as the NIC will do the repacking.

I recall a bug in the Cisco where a ServerHello of more then 4096 failed in the Cisco Content Switch. But that one has been fixed over a dozen years ago. But sometimes a client may not expect a specific feature the Server wants and close the handshake.

But seing a good and a bad example might share some light on this.

hugo.vanderkooij's avatar hugo.vanderkooij (2023-08-30 06:16:31 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

No, that is not an issue in general. It just says that the transferred data is too large for one packet. Therefor it is spreaded over more packets. Wireshark can now reassemble that data for you. So that you are able to analyze the application content. If you want to analyze the Layer 1-4 content then it is sometimes better to disable the reassembly. You can do this by right clicking on the application header (e.g. HTTP or TLS) and then under Protocol Preferences you find entries which are called "Reassembly..." If you deactivate them, the message "TCP segment of a reassembled PDU" is gone.

So in short:

  • Application issue -> Enable
  • Reassembly Network Issue -> Disable Reassembly
Christian_R's avatar
2.1k
Christian_R
answered 2023-09-10 16:38:24 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer