Wireshark mailing list archives
Re: Identification of Fragmented UDP Packets
From: Guy Harris <guy () alum mit edu>
Date: Thu, 21 Jan 2010 10:24:58 -0800
On Jan 21, 2010, at 9:30 AM, Eddie wrote:
On the LAN side, a UDP request of 2220 bytes was sent, which was spread over two packets. The first, was identified by WireShark as an IP packet, and contained 1280 bytes of data. The "More fragments" bit is set. The second packet, was identified as UDP/ISAKMP, containing 940 bytes of data, with no fragmentation bits set. WireShark also shows the completely reassembled data.
Yes. Wireshark's IP reassembly code reassembled the packets, and dissected the reassembled contents when the reassembly was complete; the reassembly is done in order, so that was done with the second packets. The "More fragments" bit is, not surprisingly, not set on the last fragment.
Again, on the WAN side I also see two packets, as the total length is greater than the MTU. However, on this interface it's the 1st one that is identified as UDP/ISAKMP, with 1480 bytes of data, and the "More fragments" bit set. The 2nd packet is only identified as IP, with 740 bytes of data, and no fragmentation bits set. WireShark does *not* show any reassembled data.
Apparently, Wireshark *isn't* reassembling the fragments in that case. Do the fragments have the same IP identification field? Does Wireshark have the "Reassemble fragmented IP datagrams" flag set in both cases?
I've looked through the headers, and cannot see anything different between the headers on the LAN and the WAN packets that might cause this difference in interpretation.
What differences are there between the IP headers? ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Identification of Fragmented UDP Packets Eddie (Jan 21)
- Re: Identification of Fragmented UDP Packets Guy Harris (Jan 21)
- Re: Identification of Fragmented UDP Packets Eddie (Jan 21)
- Re: Identification of Fragmented UDP Packets Guy Harris (Jan 21)
- Re: Identification of Fragmented UDP Packets Eddie (Jan 21)
- Re: Identification of Fragmented UDP Packets Guy Harris (Jan 21)
- Re: Identification of Fragmented UDP Packets Eddie (Jan 21)
- Re: Identification of Fragmented UDP Packets Guy Harris (Jan 21)
- Re: Identification of Fragmented UDP Packets Eddie (Jan 21)
- Re: Identification of Fragmented UDP Packets Guy Harris (Jan 21)
- Re: Identification of Fragmented UDP Packets Eddie (Jan 21)
- Re: Identification of Fragmented UDP Packets Guy Harris (Jan 21)