Re: Identification of Fragmented UDP Packets

[Guy Harris <guy () alum mit edu>]

On Jan 21, 2010, at 7:34 PM, Eddie wrote:

> I foolishly followed the WireShark manual, and followed it's 
> instructions, for tcpdump, to capture the complete packets.  Except it 
> doesn't.  LOL
>
> Frame Length:  1514
> Capture Length:  1500

That'll prevent reassembly.  It couldn't reassemble the packet - there was data missing at the end of the first 
fragment, so there'd be a hole in the middle of the reassembled packet.

> Maybe the doc needs updating.  :)

The doc probably needs *fixing*; it was probably *never* wrong.  Even *before* "-s 0" was supported by tcpdump, "-s 
65535" worked (and Wireshark/TShark/dumpcap without "-s", and "tcpdump -s 0", do the exact same thing at the 
libpcap/WinPcap layer that "tcpdump -s 65535" do).  "Use the MTU with -s" is not only too much work (picking a value 
that's too big should be just fine, except perhaps with really old versions of libpcap on some OSes), it's also 
misleading, as you don't want the "MTU" in the sense of the biggest *payload*, you want the maximum *link-layer* packet 
size.

Where is that in the Wireshark manual?  I'll look at fixing it.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe