Re: Identification of Fragmented UDP Packets

[Guy Harris <guy () alum mit edu>]

On Jan 21, 2010, at 9:30 AM, Eddie wrote:

> On the LAN side, a UDP request of 2220 bytes was sent, which was spread 
> over two packets.  The first, was identified by WireShark as an IP 
> packet, and contained 1280 bytes of data.  The "More fragments" bit is 
> set.  The second packet, was identified as UDP/ISAKMP, containing 940 
> bytes of data, with no fragmentation bits set.  WireShark also shows the 
> completely reassembled data.

Yes.  Wireshark's IP reassembly code reassembled the packets, and dissected the reassembled contents when the 
reassembly was complete; the reassembly is done in order, so that was done with the second packets.

The "More fragments" bit is, not surprisingly, not set on the last fragment.

> Again, on the WAN side I also see two packets, as the total length is 
> greater than the MTU.  However, on this interface it's the 1st one that 
> is identified as UDP/ISAKMP, with 1480 bytes of data, and the "More 
> fragments" bit set.  The 2nd packet is only identified as IP, with 740 
> bytes of data, and no fragmentation bits set.  WireShark does *not* show 
> any reassembled data.

Apparently, Wireshark *isn't* reassembling the fragments in that case.

Do the fragments have the same IP identification field?

Does Wireshark have the "Reassemble fragmented IP datagrams" flag set in both cases?

> I've looked through the headers, and cannot see anything different 
> between the headers on the LAN and the WAN packets that might cause this 
> difference in interpretation.

What differences are there between the IP headers?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe