Ask Your Question
0

UDP datagram wrongly reassembled

asked 2026-01-09 10:22:09 +0000

threinem gravatar image

updated 2026-01-09 11:41:22 +0000

grahamb gravatar image

I am analyzing a 10G SR connection between an IoT device and a Linux computer without a switch in between. Captured data is here

The filter ip.fragment.error shows some errors, eg for packet: 1125980. But this packet is correct. However the following datagram is not correctly reassembled.

wrongly reassembled packet image

Packet 1125995 is regarded as last fragment, but it has the "more fragments flag" set. It is followed by two additional packets, where 1125997 has a cleared "more fragments flag" and is not used for reassembling.

What's wrong with this packets?

I'm using version 4.6.2

Thanks

Tom

edit retag flag offensive close merge delete

Comments

Your link to the packet image seems to be broken.

grahamb gravatar imagegrahamb ( 2026-01-09 11:41:43 +0000 )edit

This is the link to the image: https://nextcloud.abaxor.de/index.php...

threinem gravatar imagethreinem ( 2026-01-09 11:55:55 +0000 )edit

NextCloud seems to mangle the URL, you could post the image on a public share and then post a link to it back here.

grahamb gravatar imagegrahamb ( 2026-01-09 12:28:48 +0000 )edit

Captured data is here

Browser download says cam_145_8_frames.pcapng is 1.7GB.
Please make a smaller capture file with frames of interest that show the issue.

Chuckc gravatar imageChuckc ( 2026-01-09 13:23:39 +0000 )edit

Not an answer - parking subset of the screenshot showing the question frames.
Please make a smaller capture file from 1125980 to 1125998.

image description

Chuckc gravatar imageChuckc ( 2026-01-09 13:35:25 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2026-01-09 16:02:55 +0000

Jim Young gravatar image

This looks like an example of analysis issues caused by ip.id reuse.

Excluding the TCP and ICMP packets (!tcp && !icmp), the sample capture shows reconstituted UDP packets from ip address 192.168.1.145 to ip address 192.168.1.3, with each UDP packet made from 17 IP packets of which which the first 16 IP packets have ip.flags.mf == True. IP level fragmentation makes use of the ip.id field to help identify the relevant fragments. Reuse of ip.id values can trigger analysis ambiguities when an aip.id is used more than once and an earlier fragmented UDP packet is not fully resolved.

In In the case of frame.number == 1125980 we have ip.id == 0xb002 and in the case of frame.number == 1125995 we have ip.id == 0xb003.

With ip.id == 0xb002 we see that we have only 12 of the expected 17 ip packets at approximately 23.293 seconds into the capture (frame.number in {19306..19317}). Several seconds later at approximately 33.266 seconds into the capture (frame.number in {1125964..1125980}) we have a second group of packets with ip.id == 0xb002. If we expand the [IPv4 Fragments] tree in the packet details of frame.number == 1125980 we see this UDP packet appears to be composed of 29 IP packets.

With ip.id == 0xb003 at approximately 23.293 seconds into the capture (frame.number in {19318..19319}) we see the last two IP packets of an expected 17 ip packets for an expected UDP packet. At approximately 33.266 seconds into the capture (frame.number in {11259581..1125997}) for we see a complete set of 17 ip packets for a UDP packet. On frame.number == 1125995 the [IPv4 Fragments] field only shows 17 IP packets with the last two parts of the UDP packet reconstituted with frame.number in {19318..19319} and notframe.number in {1125996..1125997}. One could argue that we should see a list of 19 IP packets for this particular UDP packet.

edit flag offensive delete link more

Comments

Nice analysis @jim-young! And if you use editcap to isolate only the packets 1125900-1125999 into a new capture file, you don't see any problems with the reassembly because there's no ip.id reuse in that case.

For example: editcap -r -F pcap cam_145_8_frames.pcapng cam_145_8_frames-1125900-1125999.pcap 1125900-1125999

(In this subset, frame 1125980 becomes frame 81 and 1125997 becomes frame 98.)

cmaynard gravatar imagecmaynard ( 2026-01-09 16:48:26 +0000 )edit

To avoid this problem, I wonder if it would be possible for the IP dissector to include a preference that limits the maximum amount of time allowed for fragments to be included in reassembly. On Linux the default from /proc/sys/net/ipv4/ipfrag_time appears to be 30 seconds, and on Windows it appears to default to 60 seconds from netsh interface ipv4 show ipstats | find "Reassembly Timeout". 30 seconds might be a good default value for Wireshark, which obviously wouldn't help in this case, but if it was configured for 10 seconds or perhaps a bit less, then the reassembly would work fine here.

cmaynard gravatar imagecmaynard ( 2026-01-09 22:10:21 +0000 )edit

I suppose another possibility to avoid this problem might be to keep track of the frame with offset 0 and then just be sure not to include any frames earlier than that one as part of the reassembly for a given ip.id.

cmaynard gravatar imagecmaynard ( 2026-01-10 00:22:59 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2026-01-09 10:22:09 +0000

Seen: 28 times

Last updated: 11 hours ago

Related questions

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

My UDP packets aren't showing

Monitoring UDP data on wireshark shows ARP packet

how to decode part of a message as IPv4 with a custom dissector?

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect packets if the dissection depends on information from earlier packets?

How do Wireshark resolve addresses

What is the udp.length display filter actually for?

IO Graph: Plot ICMP response time