User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.9

131

132

133

134

135

136

137

138

139

140

Advanced Topics

126

Note!

You will find the reassembled data in the last packet of the chunk.

An example: In a HTTP GET response, the requested data (e.g. an HTML page) is returned. Wireshark

will show the hex dump of the data in a new tab "Uncompressed entity body" in the "Packet Bytes" pane.

Reassembling is enabled in the preferences by default. The defaults were changed from disabled to enabled

in September 2005. If you created your preference settings before this date, you might look if reassembling

is actually enabled, as it can be extremely helpful while analyzing network packets.

The enabling or disabling of the reassemble settings of a protocol typically requires two things:

1. the lower level protocol (e.g., TCP) must support reassembly. Often this reassembly can be enabled or

disabled via the protocol preferences.

2. the higher level protocol (e.g., HTTP) must use the reassembly mechanism to reassemble fragmented

protocol data. This too can often be enabled or disabled via the protocol preferences.

The tooltip of the higher level protocol setting will notify you if and which lower level protocol setting

also has to be considered.

7.7. Name Resolution

Name resolution tries to convert some of the numerical address values into a human readable format.

There are two possible ways to do these conversions, depending on the resolution to be done: calling

system/network services (like the gethostname() function) and/or resolve from Wireshark specific

configuration files. For details about the configuration files Wireshark uses for name resolution and alike,

see Appendix A, Files and Folders.

The name resolution feature can be enabled individually for the protocol layers listed in the following

sections.

7.7.1. Name Resolution drawbacks

Name resolution can be invaluable while working with Wireshark and may even save you hours of work.

Unfortunately, it also has its drawbacks.

• Name resolution will often fail. The name to be resolved might simply be unknown by the name servers

asked, or the servers are just not available and the name is also not found in Wireshark's configuration

files.

• The resolved names are not stored in the capture file or somewhere else. So the resolved names

might not be available if you open the capture file later or on a different machine. Each time you open a

capture file it may look "slightly different", simply because you can't connect to the name server (which

you could connect to before).

• DNS may add additional packets to your capture file. You may see packets to/from your machine

in your capture file, which are caused by name resolution network services of the machine Wireshark

captures from. XXX - are there any other such packets than DNS ones?

• Resolved DNS names are cached by Wireshark. This is required for acceptable performance.

However, if the name resolution information should change while Wireshark is running, Wireshark

won't notice a change in the name resolution information once it gets cached. If this information changes

while Wireshark is running, e.g. a new DHCP lease takes effect, Wireshark won't notice it. XXX - is

this true for all or only for DNS info?