Wireshark - 1.9 Mode D'Emploi
Advanced Topics
125
Los Angeles New York
Madrid
London
Berlin
Tokyo
Displayed
Time (Local
Time)
Time (Local
Time)
02:00
05:00
09:00
10:00
11:00
19:00
An example: Let's assume that someone in Los Angeles captured a packet with Wireshark at exactly 2
o'clock local time and sends you this capture file. The capture file's time stamp will be represented in UTC
as 10 o'clock. You are located in Berlin and will see 11 o'clock on your Wireshark display.
o'clock local time and sends you this capture file. The capture file's time stamp will be represented in UTC
as 10 o'clock. You are located in Berlin and will see 11 o'clock on your Wireshark display.
Now you have a phone call, video conference or Internet meeting with that one to talk about that capture
file. As you are both looking at the displayed time on your local computers, the one in Los Angeles still
sees 2 o'clock but you in Berlin will see 11 o'clock. The time displays are different as both Wireshark
displays will show the (different) local times at the same point in time.
file. As you are both looking at the displayed time on your local computers, the one in Los Angeles still
sees 2 o'clock but you in Berlin will see 11 o'clock. The time displays are different as both Wireshark
displays will show the (different) local times at the same point in time.
Conclusion: You may not bother about the date/time of the time stamp you currently look at, unless you
must make sure that the date/time is as expected. So, if you get a capture file from a different time zone and/
or DST, you'll have to find out the time zone/DST difference between the two local times and "mentally
adjust" the time stamps accordingly. In any case, make sure that every computer in question has the correct
time and time zone setting.
must make sure that the date/time is as expected. So, if you get a capture file from a different time zone and/
or DST, you'll have to find out the time zone/DST difference between the two local times and "mentally
adjust" the time stamps accordingly. In any case, make sure that every computer in question has the correct
time and time zone setting.
7.6. Packet Reassembling
7.6.1. What is it?
Network protocols often need to transport large chunks of data, which are complete in themselves, e.g.
when transferring a file. The underlying protocol might not be able to handle that chunk size (e.g. limitation
of the network packet size), or is stream-based like TCP, which doesn't know data chunks at all.
when transferring a file. The underlying protocol might not be able to handle that chunk size (e.g. limitation
of the network packet size), or is stream-based like TCP, which doesn't know data chunks at all.
In that case the network protocol has to handle the chunk boundaries itself and (if required) spread the
data over multiple packets. It obviously also needs a mechanism to determine the chunk boundaries on
the receiving side.
data over multiple packets. It obviously also needs a mechanism to determine the chunk boundaries on
the receiving side.
Tip!
Wireshark calls this mechanism reassembling, although a specific protocol specification
might use a different term for this (e.g. desegmentation, defragmentation, ...).
might use a different term for this (e.g. desegmentation, defragmentation, ...).
7.6.2. How Wireshark handles it
For some of the network protocols Wireshark knows of, a mechanism is implemented to find, decode and
display these chunks of data. Wireshark will try to find the corresponding packets of this chunk, and will
show the combined data as additional pages in the "Packet Bytes" pane (for information about this pane,
see
display these chunks of data. Wireshark will try to find the corresponding packets of this chunk, and will
show the combined data as additional pages in the "Packet Bytes" pane (for information about this pane,
see
Figure 7.2. The "Packet Bytes" pane with a reassembled tab
Note!
Reassembling might take place at several protocol layers, so it's possible that multiple tabs
in the "Packet Bytes" pane appear.
in the "Packet Bytes" pane appear.