Ask Your Question
0

How to explain "Reassembly error, Protocol TCP: New fragment overlaps old data"?

asked 2021-03-26 07:23:45 +0000

anhzhi gravatar image

updated 2021-04-01 05:21:06 +0000

Can anyone help me to analyze the packet file and give a concrete explaination about "New fragment overlaps old data"? https://www.cloudshark.org/captures/c...

There must be something wrong with the network between client and server of postgresql. The discontinuous change about IPID from server to client support this suppose.

But I failed to understand the Expert Info on TCP layer.

The related code lines: https://gitlab.com/wireshark/wireshar...

edit retag flag offensive close merge delete

Comments

I have no Cloudshark account (and 1) have no Twitter account or any desire to get one, and choose to use my Google account as little as possible), and have no desire to get a trial account (I don't trust them to make it easy to get a trial account and drop it before they start charging me money), and they apparently require a Cloudshark account to download your file.

Could you either make it downloadable without a Cloudshark account, or upload it to a service that doesn't require an account in order to download it?

I'd need to see the traffic to see why there are, apparently, retransmissions.

Guy Harris gravatar imageGuy Harris ( 2021-03-26 09:08:47 +0000 )edit

@Guy Harris. I also ran into this, I've emailed CloudShark to ask if they make free accounts available for Core Developers.

grahamb gravatar imagegrahamb ( 2021-03-26 09:36:45 +0000 )edit

Years ago Joe McEachern, the founder of QA Cafe and who's username on this site may or may not be @cloudshark, mentioned to me at one of the Sharkfests about offering the Wireshark project its own Cloudshark appliance so that our users would have a convenient place to upload packet captures to and for us to be able to better analyze those captures files and support our users. That offer was made very long ago, so I don't know if Joe even remembers making it or if the offer would still stand, but I can't help but think how helpful that would be for us. Perhaps a follow-up email to Cloudshark regarding this offer could be made, assuming we'd want it and could make use of it, of course?

cmaynard gravatar imagecmaynard ( 2021-03-26 14:49:17 +0000 )edit
1

Core Devs will receive an email shortly discussing access to CloudShark.

grahamb gravatar imagegrahamb ( 2021-03-26 15:36:46 +0000 )edit

Unfortunately, even with an active CloudShark account I can't view that capture, I get a message:

Your username 'x,[email protected]' does not have permission to view this file.

Have you set the "Sharing" options on the capture to be publicly viewable?

grahamb gravatar imagegrahamb ( 2021-03-26 18:33:03 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-03-30 07:35:12 +0000

grahamb gravatar image

Looks like a bug in Wireshark to me. I believe there have been some changes in this area, so maybe a regression.

Please report this as an Issue at the GitLab Issue page, attaching the capture file and providing all the other requested info.

edit flag offensive delete link more

Comments

I don's think it's a bug. In fact, the pgsql query is blocked. In my opinion this Expert Info came from PostgreSQL dissector. Anyone help to provide more detail or explaination about those dissectors(application level)?

anhzhi gravatar imageanhzhi ( 2021-03-30 09:02:07 +0000 )edit

Can you explain why Wireshark is reporting the segments as overlapping?

The error came from the reassembly routines, reporting that it couldn't reassemble the segments because they overlap. I don't think they overlap at all.

The sequence numbers (raw) for the transmissions are:

1033702966
1033704426
1033705886
1033707346
1033708806

which are all spaced exactly 1460 bytes apart as per the TCP payload sizes.

I suspect that as the capture doesn't have the TCP handshake to start the conversation, the reassembly is thrown off. The error message shown is produced from 4 spots in the reassembly routines. The changes that added that error message aren't new though.

grahamb gravatar imagegrahamb ( 2021-03-30 09:44:36 +0000 )edit

I downloaded the capture file and tested it with Version 3.5.0 (v3.5.0rc0-1385-gcf827f248dbd) as well as a customized version of 3.4.3. I don't see any indication of overlapping segments. If it's a Wireshark bug, it would seem to be with whatever version Cloudshark is running, but I'm not sure how to tell what version that is. It could also just be a Cloudshark-specific bug. Either way, the best thing to do is probably to contact Cloudshark.

cmaynard gravatar imagecmaynard ( 2021-03-30 14:02:28 +0000 )edit

Odd, I see the issue on whatever dev version I currently have (v3.5.0rc0-1253-g89ae76d30087). I'm just building a top of tree copy now to test.

grahamb gravatar imagegrahamb ( 2021-03-30 15:04:16 +0000 )edit

OK, there must be one or more preferences that control this. I started with a pristine profile and see it now. I'm not sure which preference(s) affect this yet, but I'll try to isolate it/them when I get a chance and try to provide some feedback. Of course, Cloudshark doesn't provide the ability to change protocol preferences, at least not as far as I can tell, so there may not be any way to work around it with Cloudshark.

cmaynard gravatar imagecmaynard ( 2021-03-30 15:14:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-03-26 07:23:45 +0000

Seen: 92 times

Last updated: Apr 01