Wireshark mailing list archives
Re: Wireshark not reassembling UDP packet
From: Andre Kostur <akostur () incognito com>
Date: Tue, 24 Apr 2012 08:42:25 -0700
Yep, Frame length and Capture length are 1514 bytes. UDP checksum validation is already disabled. Additional information, the capture was done on the same box as the packet transmitter. Doing the capture from a 3rd box, and wireshark is able to reassemble the packet. On Mon, Apr 23, 2012 at 21:51, Sake Blok <sake () euronet nl> wrote:
On 24 apr 2012, at 01:57, Andre Kostur wrote:Hi, using Wireshark 1.6.7 (SVN 41973). I have a pcap of a Kerberosexchange. The AS-REQ is a fragmented UDP packet with 2 fragments and is being correctly reassembled and shown. However, the AS-REP is a fragmented UDP packet with 3 fragments, but Wireshark is not reassembling this packet. It just shows the 1st packet as the AS-REP, but truncated (Packet size limited during capture). All three fragments have a consistent Identification field, the More Fragments bit is set on the first two fragments (and not the third. The Fragment offsets are 0, 1480, and 2960 (as you would expect. However, the Header checksum is listed as 0x0000. Perhaps Wireshark is upset with the checksum and thus refusing to reassemble the packet? Can you verify if whole packets are captured. Wireshark does not do any reassembly when the packets are not complete. The message "Packet size limited during capture" means that not the whole packets were saved. You can verify this by looking at the frame details and compare the "Frame Length" with the "Capture Length". When whole packets were captured, you could disable "Validate the UDP checksum" setting in the UDP protocol preferences to disable checksum checking. But AFAIK Wireshark correctly disables UDP checksum checking when the checksum is 0x0000. If not, please report this as a bug on https://bugs.wireshark.org. Hope this helps, Cheers, Sake
-- *Andre Kostur*
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark not reassembling UDP packet Andre Kostur (Apr 23)
- Re: Wireshark not reassembling UDP packet Sake Blok (Apr 23)
- Re: Wireshark not reassembling UDP packet Andre Kostur (Apr 24)
- Re: Wireshark not reassembling UDP packet Sake Blok (Apr 24)
- Re: Wireshark not reassembling UDP packet Michael Tuexen (Apr 24)
- Re: Wireshark not reassembling UDP packet Andre Kostur (Apr 24)
- Re: Wireshark not reassembling UDP packet ronnie sahlberg (Apr 24)
- Re: Wireshark not reassembling UDP packet Kevin Cullimore (Apr 27)
- Re: Wireshark not reassembling UDP packet Guy Harris (Apr 27)
- Re: Wireshark not reassembling UDP packet Andre Kostur (Apr 24)
- Re: Wireshark not reassembling UDP packet Sake Blok (Apr 23)