Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 48, Issue 1
Date: Sat, 1 May 2010 17:47:47 -0400
Message: 5
Date: Sat, 1 May 2010 09:02:49 +0300
From: Kevin Wilson <wkevils@xxxxxxxxx>
Subject: [Wireshark-users] TCP fragmentation and wireshark
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
	<v2l55c333c1004302302hab7a6b4amb3d3effbe9603f80@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

> Hello,
>I want to use wireshark sniffer for analyzing TCP fragmented traffic.
>  I had written a small TCP client-server app, which creates large
>packets (over 20 K) and sends them.
>When I tried to sniff the traffic with wireshark, I saw single
>packets, and no sign of fragmentation
>(like ip frag_offset field, or ip more fragments field).
>(I know for sure that the PMTU between client and server is 1500.)
>
>Any ideas why ? or maybe my application is not good and I can use
>existing applications?
>
>rgs,
>Kevin

The fragmentation is done at the IP layer, not at TCP layer.
An IP hosts does not fragment TCP traffic because TCP uses sequence
number. Only router does it when the IP packet received on an interface
is too large to be send on another interface (received from token-ring
and routed on ethernet for example).

UDP traffic is very often fragmented because there is no sequence
number. If you send 20KB on UDP, only 1 UDP message is sent, but
fragmented on multiple IP packets.

Hope this help.
Nicolas