On Nov 16, 2010, at 2:16 AM, Lange Jan-Erik wrote:
> I want to try the example dissector out of the dev guide of wireshark.
>
> The dissector works with UDP on port 1234. But when I'm sending a UDP Frame
> with UDP Src 1234 und Dest 1234 (IPv4) then in the protocol section of the UI
> is labeled with IP only like you can see in the screenshot picture. Shouldn't
> it be labeled with FOO?
No, because they're IP fragments. In order for the IP dissector to hand those
packets to the UDP dissector, either:
1) if IP reassembly is disabled, those packets must be the first
fragment - in the sense of having a fragment offset of 0 - of the fragmented
datagram
or
2) if IP reassembly is enabled, all the fragments must be present in
the capture, so that the fragments can be reassembled, and those packets must
be the last fragment - in the sense of "last fragment, chronologically" - of
the fragmented datagram.
Those fragments do *not* have a fragment offset of 0, so they'll just be
dissected as IP fragments unless the fragmented datagram can be reassembled.
In order for the IP datagram to be reassembled, IP reassembly must be enabled
(which it is by default), and *all* of the fragments must be present; I don't
see the other fragments in that capture.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
