Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

IP Fragmentation offset question

Good afternoon all!

I decided to learn a bit about Packet analysis/wireshark and picked up "practical packet analysis 3E" by Chris Sanders. The book is using wireshark 2.x and I'm using 3.x and up until now everything was the same but I noticed a slight change I was curious about and since there isn't a forum for this book I can find was wondering if someone here could explain in simple terms or (better) point me in the right direction to figure out:

looking at the flags of a fragmented IPv4 header in the packet details pane on wireshark 2.x the screenshot shows "Fragment offset:1480" just before the TTL but in the example capture on 3.x it shows "..0 0000 1011 1001 = Fragment offset: 185" in the same place and I was curious as to why and what the 185 means. I checked and its the same packet (and I can see in the "info" pane of the packet list (proto=ICMP 1, off=1480,...) and I also noticed the 3rd packet in the series has an offset of 370 so did I maybe accidentally hit a setting somewhere or does 3.x express this info differently and why?

I hope all that makes sense and thank you for your time!