Wireshark Tip 1: TCP Reassembly Setting

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this is laura chapel and i'd like to provide you with an example of how to use wireshark tip number one that i tweeted now if you want to stay up on the wireshark tip series you can follow me at laura chapel wireshark tip number one is to turn off the tcp preference for reassembly when you're working with http this way you can see the response code in the correct packet now let me take you out to a trace file and show you why you want to implement this tip i've opened a basic trace file where i have a web browsing session taking place i can see a dns query for an a record an ipv4 address and a response and then a dns query for an aaa record or an ipv6 address and a response coming back there's my tcp handshake and there's my get request for the main page now after you make a get request to an http server you should get a numerical code back and hopefully it'll be a 200 indicating that everything's okay but with this default configuration wireshark is not showing me the 200 okay even though i know that that value is sitting in packet number nine if i scroll down in the packet bytes pane here we can see exactly what's being sent down to us and we can see that 200 okay right at the top where it says 2 there's the 0 0 on the next line okay but i'd like to be able to see this in my info column i certainly don't want to have to go back all the time to my packet bytes pane to see that so we're going to change the tcp reassembly setting if the packet has a response code in it and there's data piggybacked on that response code by default wireshark will put up this line that says tcp segment of a reassembled pdu or protocol data unit i don't want to see that i want to see the response code right there in the packet in which it's contained there are two ways of changing this setting there's the long way and there's the quick short way so the long way would be to click on the edit preferences button on up on the main toolbar but i want you to get used to using wireshark in the most efficient way possible so instead of using the edit preferences button let's go ahead and just select a tcp header in the packet details pane and then right mouse click on that header this will bring up a window or a menu that expands and we can see that there's a line that says protocol preferences this is the setting that i want to disable allow sub dissector to reassemble tcp streams in the background i have packet number nine highlighted and i want you to pay attention to that packet because this is going to change in just a moment i will uncheck that setting and now packet number nine shows me my response code this is great because i can also sort the info column to put all the response codes together and it's pretty easy to see that yes i have a 404 in there i'll sort back on the original order again so why would you not want to change that setting well if you work with reassembly in other words you want to reassemble all the objects that were transferred using http if you left wireshark at its default allowing the reassembly then when you want to select file export objects and http you would see that wireshark would reassemble all of these identical file names into a single line allowing you to save them separately honestly that's not a feature that i do a lot with wireshark i think there are better tools out there for doing reassembly such as maybe network minor that's just not wireshark's strong point but if you do want to use that file export objects http you'll need to turn that setting back on you can keep up with the wireshark tips that i'm releasing on twitter if you follow me at laura chapel for more wireshark training and tips you can visit chapelyu.com
Info
Channel: Laura Chappell
Views: 34,682
Rating: undefined out of 5
Keywords: Wireshark How-To Training HTTP TCP/IP Analysis, Wireshark (Software), TCP HTTP Troubleshooting, Transmission Control Protocol (Invention)
Id: GLw-qXdK1MM
Channel Id: undefined
Length: 4min 26sec (266 seconds)
Published: Sat Jul 20 2013
Related Videos
Spotting Packet Loss in Wireshark
Plaintext Packets
365
Wireshark TCP Lab
McFatterTech Musser
12K
MALWARE Analysis with Wireshark // TRICKBOT Infection
Chris Greer
27K
Wireshark Tip 4: Finding Suspicious Traffic in Protocol Hierarchy
Laura Chappell
82K
How TCP RETRANSMISSIONS Work // Analyzing Packet Loss
Chris Greer
32K
How TCP Works - Sequence Numbers
Chris Greer
107K
How to DECRYPT HTTPS Traffic with Wireshark
Chris Greer
283K
How TCP Works - Duplicate Acknowledgments
Chris Greer
40K
How TCP Sequence Numbers Work - TCP Deep Dive // Hands-On Case Study
Chris Greer
27K
Top 10 Wireshark Filters // Filtering with Wireshark
Chris Greer
636K
Wireshark Tip 3: Graph HTTP Response Times
Laura Chappell
22K
TCP Duplicate Acks Explained // How to Troubleshoot Them
Chris Greer
25K
Wireshark Tutorial // Lesson 7 // Using the Time Column
Chris Greer
24K
Wireshark Tip 6: Find TCP Problems Fast with a "BadTCP" Button
Laura Chappell
19K
Special Topics: Game Hacking - 2022 - Using Wireshark and LUA to capture and parse game packets.
A Fascinating Chap
5.4K
Troubleshooting with Wireshark - Spurious Retransmissions Explained
Chris Greer
44K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.