This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Understanding offset values settings icmp fragementation

0
1

Hello,

A certain wireshark sample for icmp fragmentation (attached) is showing following :-

  • fragment offset: 13bits

  • offset value ordering as :-

     0
 1480
 2960

  • length 1518.

From , theory I know usual 8 bytes of offset field will start calculating offset from 0, then for 1400 bytes of data (minus the headers) next value be 1400/8. If I apply same concept to attached pcap It doesn't add up. Why offset values so different even when considering 1500 bytes of data.

Thanks.

alt text

asked 28 Aug '15, 00:58

lazerz's gravatar image

lazerz
4181014
accept rate: 0%

edited 28 Aug '15, 01:54

2 Answers:

1

@Pascal Quantin explained it correctly. The original ping packet has 5,608 bytes of data. It gets fragmented into four packets of 1480, 1480, 1480, and 1168 bytes. These four packets have offsets of 0, 1480, 2920, and 4440. What's stored in the Fragment Offset field of each IP packet is the offset as the number of 8-byte blocks; in other words, the actual offset divided by 8, so for the four packets, the Fragment Offset fields contain 0, 185, 370, and 555. In the Packet Details pane, Wireshark multiplies the number in the Fragment Offset field by 8 to show us the actual offset in bytes, rather than the number of 8-byte blocks.

Fragment Offset field / Wireshark Display:

0 / 0

185 / 1480

370 / 2960

555 / 4440

answered 19 Sep '15, 11:07

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 19 Sep '15, 11:08

0

Each fragment do not have a hardcoded size of 1400 bytes, but the (total length - header length) bytes as indicated in the IPv4 header. See this link for more details.

According to the capture you posted to Wireshark user mailing list, the IPv4 payload data is 1480 bytes long so the fragmentation perfectly makes sense.

answered 28 Aug '15, 01:15

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Thanks for analysis. However, my original query still remains unanswered which was how these offset values are calc in first place. For for 1480 bytes of data the first offset value taking 8bytes should be 185. If yes why is same not represented in screen-shot shown. Thanks

(28 Aug '15, 01:55) lazerz

OK the initial question was not clear to me.

Wireshark is displaying the offset as bytes, and not as 8-bytes blocks, as seen in the source code https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ip.c;h=11673c43abfbbb1842866ee7cee54b70efe97a13;hb=refs/heads/master

(28 Aug '15, 02:31) Pascal Quantin

thanks but I believe it doesn't ans the problem.

(31 Aug '15, 02:04) lazerz

What is your problem then?

(31 Aug '15, 12:52) Pascal Quantin

From frame 3-5 how are offset values calc? (see pic above in question)

(19 Sep '15, 03:41) lazerz

Again, the offset is given in the IP header and in the info column Wireshark converts it from 8 bytes unit offset to an offset in bytes.

(19 Sep '15, 09:43) Pascal Quantin
showing 5 of 6 show 1 more comments