Wireshark-users: Re: [Wireshark-users] Identification of Fragmented UDP Packets
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 21 Jan 2010 19:53:55 -0800
On Jan 21, 2010, at 7:34 PM, Eddie wrote:

> I foolishly followed the WireShark manual, and followed it's 
> instructions, for tcpdump, to capture the complete packets.  Except it 
> doesn't.  LOL
> 
> Frame Length:  1514
> Capture Length:  1500

That'll prevent reassembly.  It couldn't reassemble the packet - there was data missing at the end of the first fragment, so there'd be a hole in the middle of the reassembled packet.

> Maybe the doc needs updating.  :)

The doc probably needs *fixing*; it was probably *never* wrong.  Even *before* "-s 0" was supported by tcpdump, "-s 65535" worked (and Wireshark/TShark/dumpcap without "-s", and "tcpdump -s 0", do the exact same thing at the libpcap/WinPcap layer that "tcpdump -s 65535" do).  "Use the MTU with -s" is not only too much work (picking a value that's too big should be just fine, except perhaps with really old versions of libpcap on some OSes), it's also misleading, as you don't want the "MTU" in the sense of the biggest *payload*, you want the maximum *link-layer* packet size.

Where is that in the Wireshark manual?  I'll look at fixing it.