Wireshark · Wireshark-users: Re: [Wireshark-users] Possible incorrect behaviour?

[Jeff Morriss <jeff.morriss@xxxxxxxxxxx>]

Eckard Brauer wrote:
> Hello there,
>
> I have Wireshark 0.99.5 on Gentoo capturing a little multicast traffic. The 
> traffic has some IP fragmentation, so the IP section of the first frame tells 
> me that "Reassembled IP in frame: #of_last_frame" while this tells me "[IP 
> Fragments (1382 bytes): #of_frames]" (frames an their data payloads (1280+102 
> bytes) are listed there).
>
> The following section of this frame is the reassembled UDP packet. Wireshark 
> marks the UDP section head and Length in red and complains about "Length: 
> 1382 (bogus, should be 102)".
>
> This seems incorrect to me, because the whole (reassembled) UDP packet is 1382 
> bytes long, independend on that this is more than the actual frame's payload 
> is (I'm aware of problems with fragmented UDP traffic, but in case all 
> fragments have been caught, shouldn't it appear as a correct UDP datagram?).

Yes it's incorrect, see bug 1462 in the bugs database.  It was fixed 
shortly after 0.99.5 was released so you can try out one of the buildbot 
builds if you want.