Martin Pyne wrote: > I've been experiencing some interesting issues lately regarding a NFS > scan I did released. There are several packets that, when the > "Reassemble fragmented IP diagrams" option is selected in Preferences -> > IP, show under "Info" "Fragmented IP protocol (proto=UDP 0x11, off=0)".
"off=0" means that this is the first fragment of a fragmented IP datagram. > When that option is deselected, the packets show "V3 READ Reply (Call In > 2941532) Len: 32768[Unreassembled]". The fragmented IP datagram in question contains an NFSv3 reply to a READ request. As you turned off IP datagram reassembly, Wireshark doesn't try to find all the fragments of the fragmented IP datagram, and reasemble them, before dissecting the packet data above the IP layer; instead, it tries to dissect what part of the datagram is available in the first fragment, and quits and marks the packet as unreassembled when it runs out of data in the first fragment. If only the first fragment is in your capture, then, when reassembly is enabled, the reassembly will fail. If you captured with a capture filter of, for example, "port 2049", only the first fragment will be captured, as the UDP header, which contains the source and destination port numbers, is in the first fragment. Capture filtering (as offered by the kernel in many OSes) is "stateless", so it can't arrange to capture all the fragments. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
