A certain wireshark sample for icmp fragmentation (attached) is showing following :-
From , theory I know usual 8 bytes of offset field will start calculating offset from 0, then for 1400 bytes of data (minus the headers) next value be 1400/8. If I apply same concept to attached pcap It doesn't add up. Why offset values so different even when considering 1500 bytes of data.
asked 28 Aug '15, 00:58
edited 28 Aug '15, 01:54
@Pascal Quantin explained it correctly. The original ping packet has 5,608 bytes of data. It gets fragmented into four packets of 1480, 1480, 1480, and 1168 bytes. These four packets have offsets of 0, 1480, 2920, and 4440. What's stored in the Fragment Offset field of each IP packet is the offset as the number of 8-byte blocks; in other words, the actual offset divided by 8, so for the four packets, the Fragment Offset fields contain 0, 185, 370, and 555. In the Packet Details pane, Wireshark multiplies the number in the Fragment Offset field by 8 to show us the actual offset in bytes, rather than the number of 8-byte blocks.
Fragment Offset field / Wireshark Display:
0 / 0
185 / 1480
370 / 2960
555 / 4440
answered 19 Sep '15, 11:07
edited 19 Sep '15, 11:08
Each fragment do not have a hardcoded size of 1400 bytes, but the (total length - header length) bytes as indicated in the IPv4 header. See this link for more details.
According to the capture you posted to Wireshark user mailing list, the IPv4 payload data is 1480 bytes long so the fragmentation perfectly makes sense.
answered 28 Aug '15, 01:15