Ask Your Question
0

IP Fragmentation offset question

asked 2019-10-17 21:49:22 +0000

JPolk gravatar image

Good afternoon all!

I decided to learn a bit about Packet analysis/wireshark and picked up "practical packet analysis 3E" by Chris Sanders. The book is using wireshark 2.x and I'm using 3.x and up until now everything was the same but I noticed a slight change I was curious about and since there isn't a forum for this book I can find was wondering if someone here could explain in simple terms or (better) point me in the right direction to figure out:

looking at the flags of a fragmented IPv4 header in the packet details pane on wireshark 2.x the screenshot shows "Fragment offset:1480" just before the TTL but in the example capture on 3.x it shows "..0 0000 1011 1001 = Fragment offset: 185" in the same place and I was curious as to why and what the 185 means. I checked and its the same packet (and I can see in the "info" pane of the packet list (proto=ICMP 1, off=1480,...) and I also noticed the 3rd packet in the series has an offset of 370 so did I maybe accidentally hit a setting somewhere or does 3.x express this info differently and why?

I hope all that makes sense and thank you for your time!

edit retag flag offensive close merge delete

Comments

Yes i too observed the same issue on latest Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

sameerece gravatar imagesameerece ( 2020-01-30 15:30:29 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2019-10-18 00:04:21 +0000

SYN-bit gravatar image

There was a bug in wireshark that caused the display of this value to change. The 13 bit value in the packet has to be read as the amount of 8 byte blocks (as an IP datagram can be 64K big and with 13 bits you can only address 8K). This bug has been fixed and should be included in the 3.2 release of Wireshark.

edit flag offensive delete link more

Comments

ah okay, thanks! that's good to know!

JPolk gravatar imageJPolk ( 2019-10-18 00:37:52 +0000 )edit

IP: Make dissection of ip.frag_offset RFC 791 compliant
https://code.wireshark.org/review/33422
Pretty sure "vi" does not support spacebar temperature check. Will research.

Chuckc gravatar imageChuckc ( 2019-10-18 01:18:48 +0000 )edit

IP: Make dissection of ip.frag_offset RFC 791 compliant https://code.wireshark.org/review/33422

And it is now also merged in 3.0, so the next 3.0 version will have the fix too. Thx @Guy Harris:

https://code.wireshark.org/review/#/c...

Pretty sure "vi" does not support spacebar temperature check. Will research.

? :-)

SYN-bit gravatar imageSYN-bit ( 2019-10-18 08:19:12 +0000 )edit

Pretty sure "vi" does not support spacebar temperature check. Will research.

? :-)

See Peter Wu's first comment on the original change and the XKCD comic to which it links.

Guy Harris gravatar imageGuy Harris ( 2019-10-18 08:30:36 +0000 )edit

Ah... forgot about the XKCD in that change :-)

Pretty sure "vi" does not support spacebar temperature check. Will research.

Pretty sure you will succeed in doing a temperature check in "vi" too :-)

SYN-bit gravatar imageSYN-bit ( 2019-10-18 09:16:44 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-17 21:49:22 +0000

Seen: 2,585 times

Last updated: Oct 18 '19