Some questions about reassembly

Dec 28, 2012 at 5:43 AM

Is there a way to show only the final defragmented frames of a specific protocol? It seems like that would be very easy to archive by using the reassembly engine for non-fragmented frames too.

Can you split up frames? I'm working a protocol where multiple messages are sent in a single TCP frame. I'd very much prefer a linear list of messages instead of having to inspect each frame to see if there's more.

And finally, can you parse TCP streams where the TCP frames has no relation to the payload's frames?

 

Jan 3, 2013 at 2:59 PM

For some protocols we've created a way to see only the relevant fragments (http://blogs.technet.com/b/netmon/archive/2010/11/04/reassembly-made-easier.aspx).  Let me know if you need more details or if this doesn't solve your problem.

We don't have a way to do "Embedded Reassembly", as we call it.  Though this is something that we do support in Message Analyzer if a beta product is an option for you.  (http://blogs.technet.com/b/messageanalyzer/)

As for parsing TCP streams, we do have problems when the frames don't line up with the TCP boundaries.  If this is what you are referring too, this is something we are addressing with Message Analyzer.

Thanks,

Paul