This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ICMP fragmentation

0

If you can't see the full image, open the image URL in new window.

On Windows 7, ping www.ea.com -l 32000

Why I am not seeing the fragmentation in Wireshark? I set payload to 32000 bytes but Wireshark is only seeing 1472 bytes (1500 bytes IP MTU- 20 bytes IP header - 8 bytes ICMP ECHO header). So where are the rest 30528 bytes?

I am pretty sure those fragments are actually sent because I still get fragment reassembly time exceeded minutes after the ping.

I unchecked IP Reassembly but it made no difference.

alt text

alt text

asked 23 Jun '13, 18:56

realdreams's gravatar image

realdreams
1111
accept rate: 0%

One Answer:

4

Your display filter of "icmp" is what is causing you grief. The IP fragments don't match that filter (except for the 1st one in the case when you have IP reassembly disabled or the last one in the case when you have IP reassembly enabled), so they aren't shown. If you want to see all the fragments, you could try the following (which should work fairly well in most cases, unless there also happens to be other traffic besides your ICMP packets of interest included in that IP conversation filter, in which case you will have to filter that out with additional filters):

Right-click on an ICMP packet of interest and select, "Conversation Filter -> IP"

"I unchecked IP Reassembly but it made no difference."

Actually, it did/does make a difference. If you have IP reassembly turned off, the first packet will carry the ICMP header and be shown as ICMP, whereas if you have IP reassembly turned on, the last packet will be indicated as the entire reassembled ICMP packet.

answered 23 Jun '13, 19:11

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%