On Nov 16, 2010, at 2:16 AM, Lange Jan-Erik wrote:
I want to try the example dissector out of the dev guide of wireshark.
The dissector works with UDP on port 1234. But when I'm sending a UDP Frame with UDP Src 1234 und Dest 1234 (IPv4) then in the protocol section of the UI is labeled with IP only like you can see in the screenshot picture. Shouldn't it be labeled with FOO?
No, because they're IP fragments. In order for the IP dissector to hand those packets to the UDP dissector, either:
1) if IP reassembly is disabled, those packets must be the first fragment - in the sense of having a fragment offset of 0 - of the fragmented datagram
or
2) if IP reassembly is enabled, all the fragments must be present in the capture, so that the fragments can be reassembled, and those packets must be the last fragment - in the sense of "last fragment, chronologically" - of the fragmented datagram.
Those fragments do *not* have a fragment offset of 0, so they'll just be dissected as IP fragments unless the fragmented datagram can be reassembled. In order for the IP datagram to be reassembled, IP reassembly must be enabled (which it is by default), and *all* of the fragments must be present; I don't see the other fragments in that capture.
|
