Wireshark · Ethereal-users: Re: [Ethereal-users] IP Fragment Reassembly

Ethereal-users: Re: [Ethereal-users] IP Fragment Reassembly

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Sat, 8 Jun 2002 13:32:56 -0700

On Sat, Jun 08, 2002 at 10:31:21AM -0700, Chris Waters wrote:
> Thanks, now I understand. I was looking at the packet list, and not at the
> decode tree and so was thinking that the fact that I was still seeing
> "Fragmented IP protocol" packets meant that the reassembly wasn't happening.

No, it means that Ethereal shows all the frames in your capture, and
that the topmost pane in Ethereal's display has one entry per frame.

> Is there any way to prevent the fragments from being displayed after
> reassembly has occurred?

The only way to do that would be to construct a display filter to hide
all fragments but the last one.

Try

	!ip || ip.flags.mf == 0

which shows

	1) packets that aren't IP packets

and

	2) IP packets that don't have the "more fragments" bit set.

(That doesn't handle IPv6 fragmentation, or OSI CLNP fragmentation,
or....  More elaborate display filters to handle those are left as an
exercise for the reader.)

References:
- [Ethereal-users] IP Fragment Reassembly
  - From: Chris Waters
- Re: [Ethereal-users] IP Fragment Reassembly
  - From: Guy Harris
- Re: [Ethereal-users] IP Fragment Reassembly
  - From: Chris Waters

Prev by Date: Re: [Ethereal-users] IP Fragment Reassembly
Next by Date: Re: [Ethereal-users] Wireless sniffing - FreeBSD 4.5 + Cisco LMC352?
Previous by thread: Re: [Ethereal-users] IP Fragment Reassembly
Next by thread: RE: [Ethereal-users] IP Fragment Reassembly
Index(es):
- Date
- Thread