This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what does wireshark check when it reports the error " new fragment overlaps old data"? i mean what kind of analysis does wireshark does when it reports this error in TCP ?

asked 27 Jun '17, 07:05

soumya033's gravatar image

soumya033
6223
accept rate: 0%


Lower layer packets (IP) should contain each fragment of the higher layer packet (TCP) only once. If a lower layer packet contains fragment data which is also found in another lower layer packet, this gets reported.

              +-----------+
              |bytes 1..37|
              +-----------+
          Higher layer packet

+-----------+ +------------+ +------------+
|bytes 1..20| |bytes 21..30| |bytes 27..37|
+-----------+ +------------+ +------------+
   packet 1       packet 2       packet 3

This is an example of three fragments which overlap bytes 27, 28, 29 and 30, which are found in lower layer packet 2 and 3.

              +-----------+
              |bytes 1..37|
              +-----------+
          Higher layer packet

+-----------+ +------------+ +------------+
|bytes 1..20| |bytes 21..37| |bytes 21..37|
+-----------+ +------------+ +------------+
   packet 1       packet 2       packet 3

This is an example of three fragments where packet 3 is a retransmission of the fragment already seen in packet 2. This is a common cause of overlapping fragment data.

permanent link

answered 27 Jun '17, 07:51

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

TCP should not bother about this right , it is up to the application to do what it wants with it ? So why wireshark analysis classifies it with TCP error . It TCP really has to see it as error then there should be overlapping sequence numbers , because each byte is numbered in TCP in form of sequence numbers .

The capture which i have have all sequence number perfect there is no overlap of TCP sequence numbers , so the above explanation is not answering my question .

(29 Jun '17, 05:28) soumya033

TCP should bother about this, it is its main purpose: to provide a reliable stream service. Try replacing it with UDP and watch what happens to your application in adverse network conditions.

(29 Jun '17, 05:57) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×193

question asked: 27 Jun '17, 07:05

question was seen: 8,495 times

last updated: 29 Jun '17, 05:57

p​o​w​e​r​e​d by O​S​Q​A