Please find a small pcap file here illustrating my problem.
I have a three-way TCP handshake, followed by two FIX logons. (FIX is a protocol used in trading.) The first FIX logon (frame 4) is interpreted and parsed just fine by WireShark, but the second logon (frame 6) is interpreted as a TCP segment of a reassembled PDU.
However frame 6 is not a TCP segment of a reassembled PDU. It contains a full TCP PDU that should be interpreted and parsed as a FIX logon. I have checked that the sequence numbers, ACK numbers, IP total lengths, etc. are all good.
Why is frame 6 interpreted as a TCP segment of a reassembled PDU?
Best Answer
Having the hosts numbered .76 and .67 is a little bit mind-numbing.
Wireshark is calling frame 6 a "TCP segment of a reassembled PDU" because your TCP implementation on 10.10.10.67 is opting to send an ACK w/o payload (a "naked" ACK) rather than including the payload that gets sent in frame 6 w/ the ACK in frame 5. (This is an OS/IP stack-dependent behavior.) This is, in turn, triggering a behavior in the TCP dissector to hand off the payloads from the multiple TCP segments to the FIX dissector. For whatever reason, the FIX dissector isn't interpreting frame 6.
If you turn off the "Allow subdissector to desegment TCP streams" option in the TCP dissector's options you'll find that Wireshark interprets this differently:
Here's some discussion from the wireshark-users list about the same thing.