Wireshark mailing list archives
Re: Wireshark not reassembling UDP packet
From: Sake Blok <sake () euronet nl>
Date: Tue, 24 Apr 2012 06:51:05 +0200
On 24 apr 2012, at 01:57, Andre Kostur wrote:
Hi, using Wireshark 1.6.7 (SVN 41973). I have a pcap of a Kerberos exchange. The AS-REQ is a fragmented UDP packet with 2 fragments and is being correctly reassembled and shown. However, the AS-REP is a fragmented UDP packet with 3 fragments, but Wireshark is not reassembling this packet. It just shows the 1st packet as the AS-REP, but truncated (Packet size limited during capture). All three fragments have a consistent Identification field, the More Fragments bit is set on the first two fragments (and not the third. The Fragment offsets are 0, 1480, and 2960 (as you would expect. However, the Header checksum is listed as 0x0000. Perhaps Wireshark is upset with the checksum and thus refusing to reassemble the packet?
Can you verify if whole packets are captured. Wireshark does not do any reassembly when the packets are not complete. The message "Packet size limited during capture" means that not the whole packets were saved. You can verify this by looking at the frame details and compare the "Frame Length" with the "Capture Length". When whole packets were captured, you could disable "Validate the UDP checksum" setting in the UDP protocol preferences to disable checksum checking. But AFAIK Wireshark correctly disables UDP checksum checking when the checksum is 0x0000. If not, please report this as a bug on https://bugs.wireshark.org. Hope this helps, Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark not reassembling UDP packet Andre Kostur (Apr 23)
- Re: Wireshark not reassembling UDP packet Sake Blok (Apr 23)
- Re: Wireshark not reassembling UDP packet Andre Kostur (Apr 24)
- Re: Wireshark not reassembling UDP packet Sake Blok (Apr 24)
- Re: Wireshark not reassembling UDP packet Michael Tuexen (Apr 24)
- Re: Wireshark not reassembling UDP packet Andre Kostur (Apr 24)
- Re: Wireshark not reassembling UDP packet ronnie sahlberg (Apr 24)
- Re: Wireshark not reassembling UDP packet Kevin Cullimore (Apr 27)
- Re: Wireshark not reassembling UDP packet Guy Harris (Apr 27)
- Re: Wireshark not reassembling UDP packet Andre Kostur (Apr 24)
- Re: Wireshark not reassembling UDP packet Sake Blok (Apr 23)