Wireshark · Wireshark-users: Re: [Wireshark-users] Identification of Fragmented UDP Packets

[Eddie <stunnel@xxxxxxxxxxxxx>]

Guy Harris wrote:
> Yes.  Wireshark's IP reassembly code reassembled the packets, and dissected the reassembled contents when the reassembly was complete; the reassembly is done in order, so that was done with the second packets.
>
> The "More fragments" bit is, not surprisingly, not set on the last fragment.
>   
Also, as I would have expected.
> Apparently, Wireshark *isn't* reassembling the fragments in that case.
>   
Yep, it 'aint doing so.

> Do the fragments have the same IP identification field?
>   
Yes.

> Does Wireshark have the "Reassemble fragmented IP datagrams" flag set in both cases?
>   
I haven't touched any of the settings since installing.  But, still 
checked, and yes, it's set.
> What differences are there between the IP headers?
>   
Like I said, none that I can see, that would make a difference:

LAN IP headers:

0000   45 00 05 14 05 d7 20 00 80 11 f3 f9 c0 a8 00 1e  E..... .........
0010   ab a1 af a0                                      ....

0000   45 00 03 c0 05 d7 00 a0 80 11 14 ae c0 a8 00 1e  E...............
0010   ab a1 af a0                                      ....

WAN IP headers

0000   45 00 05 dc 36 98 20 00 7f 11 a7 46 62 94 7a 5c  E...6. ....Fb.z\
0010   ab a1 af a0                                      ....

0000   45 00 02 f8 36 98 00 b9 7f 11 c9 71 62 94 7a 5c  E...6......qb.z\
0010   ab a1 af a0                                      ....

Is there a way to grab the interpreted version of these.

Cheers.