I have the following 2 TCP packets I'm picking up on winpcap:
http://pastebin.com/FUAs3UZ7 or in a pcap format https://www.dropbox.com/s/0ss4j0weszy92no/SO.pcap
Those 2 packets are to be reassembled, but their IP flags are "010", meaning "Don't Fragment", and the fragment offset is on 0. They do have a consecutive identification number, but if I understand correctly this alone is not enough to define a fragmented packet.
Wireshark does reassemble those packets, and I can't really understand why.
What am I missing here? How does Wireshark know to reassemble those 2 packets?