Identification of Fragmented UDP Packets

[Eddie <stunnel () attglobal net>]

Hi,

I'm investigating an issue, where I am unable to connect to a remote 
VPN, where the request is passing through pfSense, which is a FreeBSB 
based firewall/NAT appliance.  In order to see what's going on, I ran a 
sniffer on it's LAN and WAN interfaces.

For the packets, in question, I noticed that WireShark interpreted them 
differently, on each interface, and so was wondering on what basis is 
that interpretation made, as if WireShark has truly misinterpreted the 
packets, then it's possible the remote VPN also has.  Here's what I see:

On the LAN side, a UDP request of 2220 bytes was sent, which was spread 
over two packets.  The first, was identified by WireShark as an IP 
packet, and contained 1280 bytes of data.  The "More fragments" bit is 
set.  The second packet, was identified as UDP/ISAKMP, containing 940 
bytes of data, with no fragmentation bits set.  WireShark also shows the 
completely reassembled data.

Now, within pfSense, the "scrub" option attempts to reassemble the packets.

Again, on the WAN side I also see two packets, as the total length is 
greater than the MTU.  However, on this interface it's the 1st one that 
is identified as UDP/ISAKMP, with 1480 bytes of data, and the "More 
fragments" bit set.  The 2nd packet is only identified as IP, with 740 
bytes of data, and no fragmentation bits set.  WireShark does *not* show 
any reassembled data.

I've looked through the headers, and cannot see anything different 
between the headers on the LAN and the WAN packets that might cause this 
difference in interpretation.  So, what might cause this.

Cheers.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe