Re: Identification of Fragmented UDP Packets

[Guy Harris <guy () alum mit edu>]

On Jan 21, 2010, at 5:52 PM, Eddie wrote:

> Guy Harris wrote:
>
> > Can you save just the two offending fragments from the WAN capture to a file?  If so, when you read the file in, 
> > does it reassemble the fragments?  If not, could you send us that capture, along with the version information from 
> > Wireshark?
>
> Not sure what you mean by this.  Can you explain a little more please.

In Wireshark, the File -> Save As... menu item will let you save to a file a subset of the packets in the capture you 
currently have open.

Select "Save As..." from the "File" menu, and in the "Packet Range" stuff below the list of files, select "Specify a 
packet range:" and type in, for example...

> I've also uploaded a couple of screen shots, which hopefully reinforce 
> my descriptions of what I'm seeing.  On the LAN, it's packets 16 and 
> 17.  The WAN is 17 and 18.

..."16-17" for the LAN capture and "17-18" for the WAN capture.

Then enter a file name and click "Save"; that should save a file with only the two packets in question in it.

Then browse to a directory into which you can save the file, 

> http://www.BogoLinux.net/LANFragments.png
> http://www.BogoLinux.net/WANFragments.png

OK, the header checksums are all valid (all four packets).  However, the packets in the WAN capture *might* have been 
cut short by a snapshot length.  If you can't save the offending packets and send them to us, can you indicate what's 
in the "Frame" portion of the packet detail pane for packet 17 in the WAN capture?  In particular, what are the "Frame 
Length" and "Capture Length" values?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe