 | 1 | initial version |
In the first instance (with Reassemble fragmented IPv4 datagrams checked) Wireshark sees that the first packet is only part of the IPv4 datagram and holds off dissection until it has everything of that IPv4 datagram. It now can only show an IPv4 fragment. So it happens that the second packet is that missing part of the complete IPv4 datagram. Therefore once the second packet is received the dissection is started on the reassembled IPv4 datagram and the ICMP echo request is dissected.
In the second instance (with Reassemble fragmented IPv4 datagrams unchecked) Wireshark sees that the first packet is only part of the IPv4 datagram, but starts dissection anyway since we didn't ask for reassembly. Then the second packet comes in view. Wireshark can see that it's a later (not the first) part of some IPv4 datagram, so knows it can't dissect it further that an IPv4 fragment.
The difference is in the resulting dissection. In the first instance the dissection of the reassembled IPv4 datagram is the complete ICMP request, while in the second instance it's only the first bit.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
