Wireshark · Ethereal-users: Re: [Ethereal-users] IP Fragment Reassembly

Ethereal-users: Re: [Ethereal-users] IP Fragment Reassembly

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Chris Waters <chris@xxxxxxxxxxxx>

Date: Sat, 08 Jun 2002 10:31:21 -0700

Thanks, now I understand. I was looking at the packet list, and not at the
decode tree and so was thinking that the fact that I was still seeing
"Fragmented IP protocol" packets meant that the reassembly wasn't happening.

Is there any way to prevent the fragments from being displayed after
reassembly has occurred? What I really want to do is look at the trace
without knowing that the packets were fragmented on the wire.

Thanks,

Chris.

----- Original Message -----
From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Chris Waters" <chris@xxxxxxxxxxxx>
Cc: "EtherealUsers" <ethereal-users@xxxxxxxxxxxx>
Sent: Saturday, June 08, 2002 3:29 AM
Subject: Re: [Ethereal-users] IP Fragment Reassembly


> On Fri, Jun 07, 2002 at 10:57:26PM -0700, Chris Waters wrote:
> > What is the expected operation of the IP fragment reassembly option?
>
> It's expected to reassemble fragmented IP datagrams. :-)
>
> All but the last fragment should say "IP" in the Protocol column and
>
> Fragmented IP protocol (proto={the protocol}, off={the offset})
>
> in the Info column, and the last fragment ("last" as in "the one that
> was captured last") should show the appropriate protocol in the Protocol
> column and the appropriate stuff in the Info column.  Under the
> "Internet Protocol" tree item in the protocol tree pane there should be
> an "IP Fragments" subtree, with information about the frames containing
> the fragments.
>
> > I enabled the option and captured a series of 2000 byte pings but didn't
> > notice any difference.  i.e.  the packets weren't reassembled in the
> > display.
>
> I have it enabled by default, and just did some 2000-byte pings, and it
> reassembled them.
>
> > I also tried saving and reopening the trace, but that didn't
> > change anything either.  Is it working correctly? I am using a version
> > built from the latest sources.
>
> I'm also using a reversion built from the latest CVS source.
>
> Note that if
>
> 1) you didn't capture the full packet (i.e., you gave a snapshot
>    length not large enough to get all the packet data)
>
> or
>
> 2) the IP checksum isn't valid
>
> reassembly isn't done.
>

Follow-Ups:
- Re: [Ethereal-users] IP Fragment Reassembly
  - From: Guy Harris

References:
- [Ethereal-users] IP Fragment Reassembly
  - From: Chris Waters
- Re: [Ethereal-users] IP Fragment Reassembly
  - From: Guy Harris

Prev by Date: Re: [Ethereal-users] IP Fragment Reassembly
Next by Date: Re: [Ethereal-users] IP Fragment Reassembly
Previous by thread: Re: [Ethereal-users] IP Fragment Reassembly
Next by thread: Re: [Ethereal-users] IP Fragment Reassembly
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$