This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Fragmentation

0

I'm troubleshooting an application across the WAN and want to know how to look in the trace to see if IP fragmentation could be an issue. The client trace file is captured directly from the NIC and the server trace is from port span. The network team claimed there's fragmentation but it does do not show when filtered with the "IP fragments" flag for the trace. The trace show there's no delay with the response time for the request and response. The majority of the delay seems to be the client when looking at the client and server side traces. I just want to rule out fragmentation is not an issue and not sure what else to check. Want to rule out the fragmentation is the cause of the delay.

asked 08 Nov '11, 08:39

ws2006's gravatar image

ws2006
1121214
accept rate: 0%

One Answer:

2

Look for the ICMP message "fragmentation needed". The display filter icmp.type == 3 and icmp.code == 4 reveals these messages.

Fragmentation might still be an issue if the ICMP message is blocked by a firewall, resulting in a "black hole router". Typical symptoms for a black hole router are

  • The connection is properly set up (successful 3-way handshake)
  • Short packets go through, like the individual keystrokes of a telnet or ssh session
  • The application "freezes" when large segments are transmitted (authentication with username and password is okay, but large transfers fail)

Good hunting!

answered 08 Nov '11, 08:54

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Thanks. Did not see any ICMP messages.

(16 Nov '11, 04:33) ws2006

Do you see the initial 3-way handshake?

If yes: Do you see the delivery of small packets (e. g. authentication), while large packets are dropped?

The lack of ICMP messages can indicate the presence of a black hole router.

(16 Nov '11, 04:40) packethunter