This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what does wireshark check when it reports the error " new fragment overlaps old data"

0

what does wireshark check when it reports the error " new fragment overlaps old data"? i mean what kind of analysis does wireshark does when it reports this error in TCP ?

asked 27 Jun '17, 07:05

soumya033's gravatar image

soumya033
6223
accept rate: 0%


One Answer:

1

Lower layer packets (IP) should contain each fragment of the higher layer packet (TCP) only once. If a lower layer packet contains fragment data which is also found in another lower layer packet, this gets reported.

              +-----------+
              |bytes 1..37|
              +-----------+
          Higher layer packet

+———–+ +————+ +————+ |bytes 1..20| |bytes 21..30| |bytes 27..37| +———–+ +————+ +————+ packet 1 packet 2 packet 3

This is an example of three fragments which overlap bytes 27, 28, 29 and 30, which are found in lower layer packet 2 and 3.

              +———–+
|bytes 1..37|
+———–+
Higher layer packet

+———–+ +————+ +————+ |bytes 1..20| |bytes 21..37| |bytes 21..37| +———–+ +————+ +————+ packet 1 packet 2 packet 3

This is an example of three fragments where packet 3 is a retransmission of the fragment already seen in packet 2. This is a common cause of overlapping fragment data.

answered 27 Jun ‘17, 07:51

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

TCP should not bother about this right , it is up to the application to do what it wants with it ? So why wireshark analysis classifies it with TCP error . It TCP really has to see it as error then there should be overlapping sequence numbers , because each byte is numbered in TCP in form of sequence numbers .

The capture which i have have all sequence number perfect there is no overlap of TCP sequence numbers , so the above explanation is not answering my question .

(29 Jun ‘17, 05:28) soumya033

TCP should bother about this, it is its main purpose: to provide a reliable stream service. Try replacing it with UDP and watch what happens to your application in adverse network conditions.

(29 Jun ‘17, 05:57) Jaap ♦