Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-11-12 18:29:38 +0000

BabyShark gravatar image

icmp fragmentation

I'm trying to understand IP fragmentation for a network test and the way Wireshark displays the fragmented packets is not making much sense to me.

Here are my assumptions:

  1. Ethernet Type II Frame : 1514 bytes (Wireshark does not show the last 4 bytes of CRC) = 14 Bytes Header + 1500 Bytes Max Payload
  2. IP Packet: 20 Bytes Header + 1480 Bytes Max Payload
  3. ICMP Packet: 8 Bytes Header + 1472 Bytes Max Payload

TOPOLOGY:

HOST (10.0.0.101)------------------ SWITCH (10.0.0.100)

CASE 1:

Host pings Switch: ping 10.0.0.100 -l 1472

On Wireshark, I see no fragmentation as expected.

CASE 2:

Host pings Switch: ping 10.0.0.100 -l 1473

On Wireshard, I see 2 packets:

One of IPv4 Protocol Type of 1514 Byte Size Length + One of ICMP Protocol Type of 35 Byte Size Length, fragmentation is expected since Payload of 1473 is one (1) Byte larger than ICMP Max Payload size. So I'd expect, the second packet being of a size of: 14 (Eth Type II Header) + 20 (IP Header) + 8 (ICMP Header) + 1 (Byte left from Payload) = 43 Bytes

Also, shouldn't a Eth Frame have a Min size of 64 Bytes?

What am I missing?

Thanks in advance

click to hide/show revision 2
None

updated 2018-11-12 18:39:06 +0000

grahamb gravatar image

icmp fragmentation

I'm trying to understand IP fragmentation for a network test and the way Wireshark displays the fragmented packets is not making much sense to me.

Here are my assumptions:
  1. Ethernet Type II Frame : 1514 bytes (Wireshark does not show the last 4 bytes of CRC) = 14 Bytes Header + 1500 Bytes Max Payload
  2. IP Packet: 20 Bytes Header + 1480 Bytes Max Payload
  3. ICMP Packet: 8 Bytes Header + 1472 Bytes Max Payload

TOPOLOGY:

HOST (10.0.0.101)------------------ SWITCH (10.0.0.100)

CASE 1:

Host pings Switch: ping 10.0.0.100 -l 1472

On Wireshark, I see no fragmentation as expected.

CASE 2:

Host pings Switch: ping 10.0.0.100 -l 1473

On Wireshard, Wireshark, I see 2 packets:

One of IPv4 Protocol Type of 1514 Byte Size Length + One of ICMP Protocol Type of 35 Byte Size Length, fragmentation is expected since Payload of 1473 is one (1) Byte larger than ICMP Max Payload size. So I'd expect, the second packet being of a size of: 14 (Eth Type II Header) + 20 (IP Header) + 8 (ICMP Header) + 1 (Byte left from Payload) = 43 Bytes

Also, shouldn't a Eth Frame have a Min size of 64 Bytes?

What am I missing?

Thanks in advance

click to hide/show revision 3
retagged

updated 2018-11-12 19:33:37 +0000

Packet_vlad gravatar image

icmp fragmentation

I'm trying to understand IP fragmentation for a network test and the way Wireshark displays the fragmented packets is not making much sense to me.

Here are my assumptions:

  1. Ethernet Type II Frame : 1514 bytes (Wireshark does not show the last 4 bytes of CRC) = 14 Bytes Header + 1500 Bytes Max Payload
  2. IP Packet: 20 Bytes Header + 1480 Bytes Max Payload
  3. ICMP Packet: 8 Bytes Header + 1472 Bytes Max Payload

TOPOLOGY:

HOST (10.0.0.101)------------------ SWITCH (10.0.0.100)

CASE 1:

Host pings Switch: ping 10.0.0.100 -l 1472

On Wireshark, I see no fragmentation as expected.

CASE 2:

Host pings Switch: ping 10.0.0.100 -l 1473

On Wireshark, I see 2 packets:

One of IPv4 Protocol Type of 1514 Byte Size Length + One of ICMP Protocol Type of 35 Byte Size Length, fragmentation is expected since Payload of 1473 is one (1) Byte larger than ICMP Max Payload size. So I'd expect, the second packet being of a size of: 14 (Eth Type II Header) + 20 (IP Header) + 8 (ICMP Header) + 1 (Byte left from Payload) = 43 Bytes

Also, shouldn't a Eth Frame have a Min size of 64 Bytes?

What am I missing?

Thanks in advance

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2