This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DNS fragment over TCP

0

I captured some dns packets over tcp,some dns fragment packets are found.why these dns packets should be fragmented (not ip layer fragments,just dns payload fragment)but the length<1500?

asked 06 Dec '12, 22:19

chinasan's gravatar image

chinasan
0668
accept rate: 0%

1

can you please post a screenshot of that "dns fragement" message?

(07 Dec '12, 05:43) Kurt Knochner ♦

A picture can not be attached without reason,just description as follows: The first dns payload is "0x00"(just 1 bytes),The second payload is beging with "0x16........";Two bytes means the length of DNS payload part.The two tcp packets is also shown as one tcp segment in wireshark(like http get message:the reassembled tcp segments :No.1 and No.4 )

(09 Dec '12, 22:07) chinasan

A picture can not be attached without reason

The reason is: you are asking for help, but you did not provide enough information in text form to fully understand the problem ;-))

(10 Dec '12, 05:59) Kurt Knochner ♦

One Answer:

1

why these dns packets should be fragmented (not ip layer fragments,just dns payload fragment)but the length<1500?

Because whoever wrote the DNS code that sent those packets is doing something silly, such as sending the first byte of the packet length with one "write to the network" call and the rest of the packet length in another "write to the network" call, and the TCP implementation isn't coalescing them into one TCP segment?

The two tcp packets is also shown as one tcp segment in wireshark(like http get message:the reassembled tcp segments :No.1 and No.4 )

That's not one TCP segment, that's two TCP segments - a TCP packet is a TCP segment. Wireshark is reassembling the two segments into a single chunk of data that holds the entire DNS packet and dissecting that.

answered 10 Dec '12, 14:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%