what does wireshark check when it reports the error " new fragment overlaps old data"? i mean what kind of analysis does wireshark does when it reports this error in TCP ? asked 27 Jun '17, 07:05 soumya033 |
One Answer:
Lower layer packets (IP) should contain each fragment of the higher layer packet (TCP) only once. If a lower layer packet contains fragment data which is also found in another lower layer packet, this gets reported.
This is an example of three fragments which overlap bytes 27, 28, 29 and 30, which are found in lower layer packet 2 and 3.
This is an example of three fragments where packet 3 is a retransmission of the fragment already seen in packet 2. This is a common cause of overlapping fragment data. answered 27 Jun ‘17, 07:51 Jaap ♦ |
TCP should not bother about this right , it is up to the application to do what it wants with it ? So why wireshark analysis classifies it with TCP error . It TCP really has to see it as error then there should be overlapping sequence numbers , because each byte is numbered in TCP in form of sequence numbers .
The capture which i have have all sequence number perfect there is no overlap of TCP sequence numbers , so the above explanation is not answering my question .
TCP should bother about this, it is its main purpose: to provide a reliable stream service. Try replacing it with UDP and watch what happens to your application in adverse network conditions.