Today, we use the windows search function to search the contents of a shared folder on the network. We find that the traffic is huge when we search the network files. Curious to use Wireshark to capture packets, I found that there are many prompt messages of “TCP segment of a reassembled PDU” in Wireshark info column. Don’t understand Baidu for a while, found that everyone is asking this question, online and no good answer. Thinking that “TCP segment of a reassembled PDU” is just a Wireshark prompt, what kind of prompt will be given in Sniffer Pro?Open the same trace with sniffer and find that it prompts “continuation of missing frame” and “continuation of frame XX”. Now you probably know “TCP segment of a reassembled PDU” What does “PDU” mean?In fact, when the host responds to a query or command, if it needs to respond to a lot of data (information) and the data exceeds the maximum MSS of TCP, the host will send multiple packets to transmit the data (Note: these packets are not fragmented). For Wireshark, these packets corresponding to the same query command are marked with “TCP segment of a reassembled PDU”
How does Wireshark identify that multiple packets are responses to the same query packet?Wireshark identifies these packets according to the sequence number. The ACK number of these packets is the same. Of course, the number value is the same as the next sequence number in the query packet.
[background knowledge] MTU: maximum transmission unit
MSS: maximum segment size
PPPoE: PPP over Ethernet
[analysis process] let’s talk about the maximum transmission unit of MTU first. This maximum transmission unit is actually closely related to the link layer protocol. Let’s carefully recall the structure of Ethernet II frame DMAC + SMAC + type + data + CRC. Due to the electrical limitation of Ethernet transmission, each Ethernet frame has a minimum size of 64bytes, which can’t be exceeded 1518 bytes. For Ethernet frames less than or greater than this limit, we can regard them as wrong data frames. General Ethernet forwarding devices will discard these data frames. (Note: data frames smaller than 64bytes are generally caused by “fragmentation” caused by Ethernet conflict, line interference or bad Ethernet interface. For data frames larger than 1518bytes, we generally call them giant frames, which are generally caused by line interference or bad Ethernet interface.)
Since the largest data frame of Ethernet II is 1518bytes, the header of Ethernet frame (DMAC destination MAC address 48bit = 6bytes + SMAC source MAC address 48bit = 6bytes + 2bytes in type field) 14bytes and the CRC check part 4bytes at the end of frame (sometimes called FCS by this department) are removed, so the place where the upper layer protocol is carried is the most important part of data field We call it MTU when the size is only 1500 bytes. This is what the network layer protocol is very concerned about, because the network layer protocol, such as IP protocol, will decide whether to fragment the data passed down from the upper layer according to this value. It’s just like a box can’t hold a big piece of bread. We need to slice the bread and put it in multiple boxes.
When two remote PCs are interconnected, their data need to go through a lot of routers and a variety of network media to reach the opposite end. The MTU of different media in the network is different, just like a long section of water pipe, which is composed of water pipes of different thickness (different MTU). The maximum water flow through this section of water pipe is determined by the thinnest water pipe in the middle.
For the upper layer protocols of the network layer (let’s take TCP/IP protocol family as an example), they don’t care about the thickness of the water pipe. They think it’s a matter of the network layer. Network layer IP protocol will check the size of each packet from the upper layer protocol, and decide whether to “slice” according to the size of the local MTU. The biggest disadvantage of fragmentation is that it reduces the transmission performance. What can be done at one time can be done many times, so we often pay attention to this in the implementation of the higher layer of the network layer (that is, the transmission layer)! For some reasons, some high-level officials will ask me that this bread can’t be sliced, I want to complete the bread, so I will add a label in the IP packet header: DF (donot fragment). In this way, when the IP packet is transmitted in a large network (water pipe), if the MTU is smaller than the IP packet, the forwarding device will discard the packet according to the requirements. Then an error message is returned to the sender. This often causes some communication problems, but fortunately, most of the network links are mtu1500 or larger.
As far as UDP is concerned, it is a connectionless protocol, and it doesn’t care much about the arrival order and correct arrival of packets. Therefore, there are no special requirements for fragmentation in general UDP applications.
For TCP protocol, it is not the same. This protocol is connection oriented. For TCP protocol, it is very concerned about the arrival order of packets and whether there are errors in transmission. Therefore, some TCP applications have requirements for fragmentation – no fragmentation (DF).
Please come out today’s third pig foot: MSS. The abbreviation of MSS maximum transmission size is a concept in TCP protocol. MSS is the largest data segment that TCP packets can transmit each time. In order to achieve the best transmission efficiency, the MSS value of both sides is usually negotiated when TCP protocol establishes a connection. When TCP protocol implements this value, it is often replaced by MTU value (20bytes of IP packet header and 20bytes of TCP packet header need to be subtracted), so the MSS value is usually 1460. Both sides of the communication will determine the maximum MSS value of this connection according to the minimum MSS value provided by both sides.
After introducing the three pigtails, let’s go back to the problem in the foreword. Let’s imagine that if we adjust the maximum MSS of each TCP connection on the intermediate router, so that the maximum MSS value of the PPPoE link plus the packet header and packet tail will not exceed the MTU size of the PPPoE This will not cause the problem of communication failure. Therefore, the above problem can be solved by iptcp adjust MSS 1452.
Of course, the problem can also be solved by modifying the MTU of PC.
- Code a packet sniffer in python with pcapy exte…
- SSL / TLS packet capture prompts ignored unknown record
- #TCP you can learn “TCP spurious retransmission” in Wireshark
- Wireshark window size value and calculated window size
- [original] TCP previous segment not captured
- Bringing up interface eth0: Error: No suitable device found: no device found for connection ‘System eth0’. [FAILED]
- About Wireshark “the NPF driver isn’t running “Solutions
- Under Linux, Ping: SendTo: network is unreachable appears
- Navicat Import Datas Error: — 1153 – Got a packet bigger than ‘max_allowed_packet’ bytes
- LINUX: How to Fix Ping Warning unknown host www.google.com