On Jan 21, 2010, at 9:30 AM, Eddie wrote:
> On the LAN side, a UDP request of 2220 bytes was sent, which was spread
> over two packets. The first, was identified by WireShark as an IP
> packet, and contained 1280 bytes of data. The "More fragments" bit is
> set. The second packet, was identified as UDP/ISAKMP, containing 940
> bytes of data, with no fragmentation bits set. WireShark also shows the
> completely reassembled data.
Yes. Wireshark's IP reassembly code reassembled the packets, and dissected the reassembled contents when the reassembly was complete; the reassembly is done in order, so that was done with the second packets.
The "More fragments" bit is, not surprisingly, not set on the last fragment.
> Again, on the WAN side I also see two packets, as the total length is
> greater than the MTU. However, on this interface it's the 1st one that
> is identified as UDP/ISAKMP, with 1480 bytes of data, and the "More
> fragments" bit set. The 2nd packet is only identified as IP, with 740
> bytes of data, and no fragmentation bits set. WireShark does *not* show
> any reassembled data.
Apparently, Wireshark *isn't* reassembling the fragments in that case.
Do the fragments have the same IP identification field?
Does Wireshark have the "Reassemble fragmented IP datagrams" flag set in both cases?
> I've looked through the headers, and cannot see anything different
> between the headers on the LAN and the WAN packets that might cause this
> difference in interpretation.
What differences are there between the IP headers?
