This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Large fragmented ICMP issue

0

When i request 12000 bytes(ping size) then i see that fragmentation happens

so after fragmentation result shows (1480*8) + 168 bytes = 12000

so last frame size should be 168(data)+20(IP)+8(ICMP)+14(frame header) = 210 Bytes

but as i saw frame length is showing 202 Bytes.. why ICMP packet are not added only for fragmented packet.

for normal 32 bytes ICMP condition it works fine..

Jasper could you please help me on that

This question is marked "community wiki".

asked 14 Mar '15, 22:24

Lvi's gravatar image

Lvi
1111
accept rate: 0%

converted to question 15 Mar '15, 03:32

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

Keep in mind that when IP fragments a large ICMP packet (or any packet, actually) only the first will have the ICMP (or other layer 4) header. All others will just have the remaining payload fragments right after the IPv4 header. Check your 9 packets - the first has Ethernet/IP/ICMP/payload, all other 8 packets will only have Ethernet/IP/payload.

So the 8 byte you're missing is the ICMP header. Also, the first packet only has 1472 bytes ping payload, because of the header (so 1480 is the ICMP header plus payload).

answered 15 Mar '15, 08:32

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%