First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

IP Fragmentation

  • retag add tags

I'm testing to understand fragmentation and not sure of the Wireshark interpretation. I hard coded the workstation to 1100 MTU and pinged 1100 to another host. The first captured packet is showing Fragmented IP protocol (Reassembled in #2), the second packet Ping Request (Reply in 3) and third packet Echo Ping Reply (Request in 2)e Ping echo request. With the IPv4 preferences Reassemble to fragmented IPv4 datagrams unchecked, the first packet is Ping request and the second packet is the IP fragmented. Can anyone explain? What is the correct setting and interpreting the fragmentation? Also, if this was UDP traffic such as audio/video, would it have an effect on the LAN versus the WAN with higher latency?

whodey1994's avatar
1
whodey1994
asked 2021-01-11 14:01:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

I have three captures and not sure of the Wireshark interpretation. Capture #2 and #3 are from SPAN sending to a capture appliance.

Capture #1 is tcpdump from the workstation. Capture #2 is from Data center 1 Capture #3 is from Data Center 2

1 workstation capture

  1. IPV4 1114 Fragmentation (Reassembled in #2)
  2. UDP 62

2 DC 1 Capture

  1. IPV4 62 Fragmented IP Protocol
  2. UDP 1114

3 DC 2 Capture

  1. IPV4 62 Fragmented IP Protocol
  2. UDP 1114

Why is the workstation frame 1 shows 1114 bytes and Reassembled in #2 but frame #1 from DC1 and DC2 shows 62 bytes length as the first frame? I checked the IPV4 Reassembly and unchecked but still same result. I would expect all three captures frames would be the same.

whodey1994's avatar whodey1994 (2021-02-26 22:41:08 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

In the first instance (with Reassemble fragmented IPv4 datagrams checked) Wireshark sees that the first packet is only part of the IPv4 datagram and holds off dissection until it has everything of that IPv4 datagram. It now can only show an IPv4 fragment. So it happens that the second packet is that missing part of the complete IPv4 datagram. Therefore once the second packet is received the dissection is started on the reassembled IPv4 datagram and the ICMP echo request is dissected.

In the second instance (with Reassemble fragmented IPv4 datagrams unchecked) Wireshark sees that the first packet is only part of the IPv4 datagram, but starts dissection anyway since we didn't ask for reassembly. Then the second packet comes in view. Wireshark can see that it's a later (not the first) part of some IPv4 datagram, so knows it can't dissect it further that an IPv4 fragment.

The difference is in the resulting dissection. In the first instance the dissection of the reassembled IPv4 datagram is the complete ICMP request, while in the second instance it's only the first bit.

Jaap's avatar
13.7k
Jaap
answered 2021-01-11 16:10:06 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the detail explanation. So it's ideal to leave the Reassemble fragmented IPv4 datagrams checked then.

whodey1994's avatar whodey1994 (2021-01-12 00:45:52 +0000) edit
more
  • delete

Ideal depends on your situation, but it's usually desirable so that's why it's the default setting.

Jaap's avatar Jaap (2021-01-12 19:50:30 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer