First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

IP Fragmentation offset question

Good afternoon all!

I decided to learn a bit about Packet analysis/wireshark and picked up "practical packet analysis 3E" by Chris Sanders. The book is using wireshark 2.x and I'm using 3.x and up until now everything was the same but I noticed a slight change I was curious about and since there isn't a forum for this book I can find was wondering if someone here could explain in simple terms or (better) point me in the right direction to figure out:

looking at the flags of a fragmented IPv4 header in the packet details pane on wireshark 2.x the screenshot shows "Fragment offset:1480" just before the TTL but in the example capture on 3.x it shows "..0 0000 1011 1001 = Fragment offset: 185" in the same place and I was curious as to why and what the 185 means. I checked and its the same packet (and I can see in the "info" pane of the packet list (proto=ICMP 1, off=1480,...) and I also noticed the 3rd packet in the series has an offset of 370 so did I maybe accidentally hit a setting somewhere or does 3.x express this info differently and why?

I hope all that makes sense and thank you for your time!

JPolk's avatar
1
JPolk
asked 2019-10-17 21:49:22 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Yes i too observed the same issue on latest Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

sameerece's avatar sameerece (2020-01-30 15:30:29 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

There was a bug in wireshark that caused the display of this value to change. The 13 bit value in the packet has to be read as the amount of 8 byte blocks (as an IP datagram can be 64K big and with 13 bits you can only address 8K). This bug has been fixed and should be included in the 3.2 release of Wireshark.

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-10-18 00:04:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

ah okay, thanks! that's good to know!

JPolk's avatar JPolk (2019-10-18 00:37:52 +0000) edit
more
  • delete

IP: Make dissection of ip.frag_offset RFC 791 compliant
https://code.wireshark.org/review/33422
Pretty sure "vi" does not support spacebar temperature check. Will research.

Chuckc's avatar Chuckc (2019-10-18 01:18:48 +0000) edit
more
  • delete

IP: Make dissection of ip.frag_offset RFC 791 compliant https://code.wireshark.org/review/33422

And it is now also merged in 3.0, so the next 3.0 version will have the fix too. Thx @Guy Harris:

https://code.wireshark.org/review/#/c...

Pretty sure "vi" does not support spacebar temperature check. Will research.

? :-)

SYN-bit's avatar SYN-bit (2019-10-18 08:19:12 +0000) edit
more
  • delete

Pretty sure "vi" does not support spacebar temperature check. Will research.

? :-)

See Peter Wu's first comment on the original change and the XKCD comic to which it links.

Guy Harris's avatar Guy Harris (2019-10-18 08:30:36 +0000) edit
more
  • delete

Ah... forgot about the XKCD in that change :-)

Pretty sure "vi" does not support spacebar temperature check. Will research.

Pretty sure you will succeed in doing a temperature check in "vi" too :-)

SYN-bit's avatar SYN-bit (2019-10-18 09:16:44 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer