This is our old Q&A Site. Please post any new questions and answers at

I'm analyzing a SMTP transfer and not sure what Wireshark is reporting in the Info section of "D: DATA fragment, xx bytes". Has anyone seen this before?

asked 03 Dec '12, 13:01

ws2006's gravatar image

accept rate: 0%

The content of an email (headers + body) is sent after the SMTP DATA command. If that content is larger than one TCP segment, Wireshark will show every packet that belongs to the DATA "command" as "C: DATA fragment" in the Info column. So, those packets are basically the content of the email.

You can see the whole SMTP communication.

  • select any packet of the SMTP connection
  • right click the packet
  • select "Follow TCP Stream"


permanent link

answered 03 Dec '12, 13:21

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 03 Dec '12, 13:27

Thanks Kurt. It's the DATA Fragment in the info that i was concerned with.

(04 Dec '12, 06:51) ws2006

It's just an info, that Wireshark detected one part (one fragment) of the mail message.

what concerns do you have?

(04 Dec '12, 08:03) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 03 Dec '12, 13:01

question was seen: 14,508 times

last updated: 04 Dec '12, 08:03

p​o​w​e​r​e​d by O​S​Q​A