Is the output complete after omitting [TCP segment of reassembled PDU]?

Question

If the tshark -r dumpfile output contains the type [TCP segment of a reassembled PDU], as in

81 3.164109000 4.5.6.7 -> 12.13.14.15 TLSv1.2 609 Application Data

83 3.164523000 4.5.6.7 -> 12.13.14.15 TCP 2802 [TCP segment of a reassembled PDU]

85 3.277723000 4.5.6.7 -> 12.13.14.15 TLSv1.2 4170 Application Data

it is clear that this means several TCP segments containing an application-level PDU (in this case, TLSv1.2).

If it is omitted from the output (via further processing, f.ex. grep), does the trace still contain all the information about the flows, or not?

In other words, can one see from the remaining lines (here lines 81 and 85), how much data flowed from whom to whom? (Question also on ask.wireshark.com)

score 1 · Accepted Answer · answered Feb 17 '16 at 14:47

1

It was answered at the Wireshark forum:

you can't omit those frames, because they are part of the TCP/TLS conversation.

answered Feb 17 '16 at 14:47

serv-inc

167
9

Is the output complete after omitting [TCP segment of reassembled PDU]?

1 Answers1