First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

0x01 flag on last of fragmented packets

Hi to all, I read in RFC 791 that:

"The internet fragmentation and reassembly procedure needs to be able to break a datagram into an almost arbitrary number of pieces that can be later reassembled. The receiver of the fragments uses the identification field to ensure that fragments of different datagrams are not mixed. The fragment offset field tells the receiver the position of a fragment in the original datagram. The fragment offset and length determine the portion of the original datagram covered by this fragment. The more-fragments flag indicates (by being reset) the last fragment. These fields provide sufficient information to reassemble datagrams."

In a non-fragmented packet I have, as expected:

Flags: 0x00
    0... .... = Reserved bit: Not set
    .0.. .... = Don't fragment: Not set
    ..0. .... = More fragments: Not set
Fragment Offset: 0

But, when I launch a traceroute with byte size of 3000, and so my packets been splitted, I notice a strange behavior in fragmentation flags; each packet is fragmented in 3 parts:

1480 bytes,

1480 bytes,

and a small one of the remaining 40 bytes (only data, not considering headers etc.).

In this 3 fragments I have, respectively, this Fragmentation Flags:

Flags: 0x20, More fragments
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..1. .... = More fragments: Set
Fragment Offset: 0

Flags: 0x20, More fragments
    0... .... = Reserved bit: Not set
    .0.. .... = Don't fragment: Not set
    ..1. .... = More fragments: Set
Fragment Offset: 1480

Flags: 0x01
    0... .... = Reserved bit: Not set
    .0.. .... = Don't fragment: Not set
    ..0. .... = More fragments: Not set
Fragment Offset: 2960

My question is: why, in the last fragment, flag is 0x01 and not 0x00, like in the others, smaller packets that are not fragmented? (Sorry for my bad english).

Thank you to all who can help me understand this.

Here you can see screenshots of, in order, a small packet not fragmented, first fragment, second fragment, third (and last) fragment of a 3000 byte packet: https://imgur.com/a/d5EF8qF

Wireshark Version 3.4.10 (Git v3.4.10 packaged as 3.4.10-0+deb11u1)

Running on Linux 5.16.0-12parrot1-amd64

Alex_DeLarge's avatar
1
Alex_DeLarge
asked 2022-06-12 11:04:27 +0000, updated 2022-06-12 19:04:00 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Merge request submitted to change field:
7151 - ip: ip.flags field are 3 high bits not full byte

Chuckc's avatar
3k
Chuckc
answered 2022-06-12 16:42:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer