Open In App

Packet Reassembly in Wireshark

Last Updated : 17 Aug, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Wireshark displays all packets in their original order. This means that packets are displayed in their original order from source to destination without changing this order. This also applies to any filters applied to the display area since these will be applied after reconstruction has been completed and will move packets around for display purposes. Saving all the packets first ensures that none of them are lost during reconstruction and that users can view all the information contained within each packet accurately. This also helps ensure there are no errors caused by missing or incorrectly interpreted information contained in packets later on during analysis.

Packet reassembly is an essential feature when using Wireshark since it allows users to view any corrupted data contained within captured packets accurately while limiting how many fragments they must view at once. Limiting what appears on-screen limits waiting time while simultaneously increasing productivity. Users can limit both types of reconstructions by adjusting settings appropriately or by consulting documentation provided by third-party software developers, creating add-ons for Wireshark capabilities specific to their needs. 

Packet reassembly allows Wireshark to display packet content correctly. When packet reassembly fails, Wireshark displays only corrupted data. The reason for this is that Wireshark must first read all the packets and then reconstruct the original data from each fragment. This process takes time, which is where packet reassembly comes in handy. By saving all the packets and then recovering the data later, users can examine network traffic without waiting for reassembly to complete. Packet reassembly is an essential feature of Wireshark since it allows users to examine network traffic without displaying corrupted data first.

Working of Packet Reassembly:

  • Packets are assembled into their proper order using timestamps and sequence numbers.
  • All the packets required to complete a single stream are grouped into a single stream buffer.
  • Certain fields from each packet in the stream buffer will be captured and displayed in the Wireshark GUI, such as bytes transmitted, source IP address, and destination IP address.
  • A packet can only be reassembled if it was previously captured as a part of another packet (a complete packet). How many times a packet can be reassembled is called the depth limit. The depth limit is set in the Wireshark preferences (Edit >Preferences). By default, it is set to 16 (see example below). After a packet has been reassembled 16 times, it will not be able to be reassembled any further.
Packet Reassembly in Wireshark

 

The following example shows how you can change the Depth Limit to 32:

  • Open Wireshark Preferences.
  • Navigate to the “Protocols” section and select the protocol of your choice (i.e., Ethernet).
  • Set the Packet Reassembly Depth Limit value to 32:
  • Close the preferences dialog (File > Exit Wireshark) and restart Wireshark.

Packet Reassembly is very useful in troubleshooting, but it should only be used if you are being forced to examine packets. For example, if someone is sniffing your network traffic with a program like tcpdump or Ethereal, you need to look at each packet individually as they are captured. If you apply Packet Reassembly, the entire stream of captured packets will be reassembled into a single packet and displayed in a single filter.
 

Packet Reassembly in Capture Files:

Once you have opened a capture file and are browsing through it, it may become frustrating to go back and look at the various fields that are described above. You will start to notice numerous fields throughout the display filter dialog and in the “additional data” section of Wireshark. This is where Packet Reassembly can be useful.
 

  • Step 1: Add a trace filter that displays all the packets on a single screen (e.g., show all packets, show only TCP SYN packets, etc.).
  • Step 2: Add a data filter to view packet headers (e.g., “Packet Reassembly” or “IP” or “TCP”).
  • Step 3: Note the packet numbers in the capture file and in the additional data filter (in this example,  0001-0039).
  • Step 4: Add a display filter that displays only packets with a matching field (e.g., “example 0001-0039”).
  • Step 5: Find a packet that does not have one of the fields you are looking for (in this example, packet number 5).
  • Step 6: Expand the Apply Packet Filter window by clicking on the red arrow next to it. You should see an area labeled “Packet ID:” with the value of 5.

Conclusion: 

Packet Reassembly is a very useful tool in troubleshooting, but only if you are looking at the traffic in your capture file. For example, if someone is sniffing your network traffic with a program like tcpdump or Ethereal and you need to look at each packet individually as they are captured. If you apply Packet Reassembly, the entire stream of captured packets will be reassembled into a single packet and displayed in a single filter. Packet Reassembly will not work if you are using an internet protocol analyzer on live network traffic.


Like Article
Suggest improvement
Previous
How To Crack Online Web Form Passwords?
Next
Install Honeypot on Linux With Demo
Share your thoughts in the comments

Similar Reads

Packet Details Pane Functions in Wireshark
Steps to Go To a Specific Packet in Wireshark
Packet List Pane Functions in Wireshark
Function of Packet Range Frame in Wireshark
Packet Lengths in Wireshark
Packet Diagram Pane Functions in Wireshark
Packet Bytes Pane Functions in Wireshark
Packet Format Frame in Wireshark
What is Packet Colourization in Wireshark?
Packet Switched Network (PSN) in Networking

P
psatyavavk6
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox