Re: fragmented packets

[Rick Jones <rick.jones2 () hp com>]

Luis Del Pino wrote:
> Hello, i have a question. I am filtering UDP segments by port. In fragmented
> packets, i only capture the UDP segment and i can't capture the other
> fragments. My questions are: could the fragments loss? or if a fragment is
> lost in the network, the UDP segment entirely is it lost?. i'm sorry for my
> English.

When IP fragments the datagram containing the UDP _datagram_ (TCP sends 
segments, UDP sends datagrams :) there is no replication of the UDP header in 
each IP datagram fragment - the UDP datagram, afterall, is _data_ as far as IP 
is concerned.

So, short of actually doing IP fragment reassembly, which would be a triffle too 
expensive to do in tcpdump, there is no way for tcpdump to know to which UDP 
datagrams those IP datagrams belong and so cannot match them to your filter.

So, there is no way to know from tcpdump if the other fragments are lost, short 
of taking-in _all_ packets and doing the work yourself by hand.

As for the second question, IP does not retransmit datagrams (or or datagram 
fragments), so if any of the IP datagram fragments are lost, the IP datagram 
cannot be reassembled on the receiver and so will be dropped.

This is one of the reasons sending UDP datagrams >= the MTU is discouraged - 
packet loss is (IIRC) exponentially increased as datagram loss.  If we consider 
a probability of packet loss of p, then the probability of any one _packet_ 
making it across the network is (1-p)  (eg if the packet loss rate is 1% p would 
be 0.01 and 1-p would be 0.99).  Since all packets have to make it across, if 
there are N fragments that means the chances of all of them making it is 
(1-p)^N.  (1-p)^N gets very small very rapidly as N increases.

rick jones
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.