Wireshark · Ethereal-dev: RE: [Ethereal-dev] Re: Ethereal WebSphere MQ dissection on segmentedmessage

Ethereal-dev: RE: [Ethereal-dev] Re: Ethereal WebSphere MQ dissection on segmentedmessage

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Emmanuel Soden" <e.soden-mls@xxxxxxxxxxx>

Date: Mon, 23 Jan 2006 21:31:47 +0100

Hi,
 Thanks for the tips. I will make this test and also stop capturing on
localhost. This capture has been done just to test segmentation behavior.
Actually, I'm testing dissector using two websphere MQ servers one on a
Linux box and the other one on an AIX system.

In this configuration protocol is better but MQ dissector doesn't know how
to reassemble data until I tell Ethereal to "decode as..." the capture file.
In this case all data will be reassembled correctly. I will send you the
capture file. I don't why the dissector don't know how to reassemble data by
itself.

I have noticed also that some of the Structure labels are not defined like
'RFH'. I will send you another containing capture files.

Thanks again for your help.

Regards,
Manu 

-----Original Message-----

At 21:46 18/01/2006 +0100, e.soden-mls@xxxxxxxxxxx wrote:
 > I m using WebSphere MQ dissector built within ethereal 0.10.14. I ve 
made a simple test send 256K using application segmentation. I split a 256K 
into 31,5K segment.
 > I get some trouble to see MQ packet in ethereal:
 >  - First packet (MESSAGE_DATA) is displayed correctly in the packet list 
pane. But nothing appears in the packet details pane.
 >  - Last MESSAGE_DATA is displayed correctly.
 >  - All MESSAGE_DATA between first and last packet are dissected as TCP 
segment of a reassembled PDU and I get for each of them a TCP ACKed lost 
segment .
 > What happened there? Somebody could explain what happens?
 > I attach to this mail a capture file to test it and a small png file 
showing the behavior.

Hi Manu,

 From the capture file it appears that you were capturing on localhost with 
a maximum Ethernet packet size of about 16K, although the largest packet in 
the transmission is about 32K.
Please restart the capture with a maximum packet size of at least 32K.
Since the packets are not complete, the MQ dissector is confused when it 
tries to desegment/reassemble the packets.
You can see that if you disable the two levels of reassembly in the 
preferences of the MQ dissector.
All the MESSAGE_DATA packets are larger than 16K, except the last 
one.  This is the reason why the last packet is displayed properly in the
pane.
Please let me know if this completely fixes your problem.

Cheers,

metatech 

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev

References:
- [Ethereal-dev] Re: Ethereal WebSphere MQ dissection on segmented message
  - From: metatech

Prev by Date: Re: [Ethereal-dev] Help with extending RSVP dissector
Next by Date: SV: [Ethereal-dev] RE: [Ethereal-users] BUG: 802.1ab (a.k.a LLDP) -Chassis IDTLV = IPAddress
Previous by thread: [Ethereal-dev] Re: Ethereal WebSphere MQ dissection on segmented message
Next by thread: [Ethereal-dev] Lua tarball in svn?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$