On Jan 21, 2010, at 5:52 PM, Eddie wrote:
> Guy Harris wrote:
>
>> Can you save just the two offending fragments from the WAN capture to a file? If so, when you read the file in, does it reassemble the fragments? If not, could you send us that capture, along with the version information from Wireshark?
>
> Not sure what you mean by this. Can you explain a little more please.
In Wireshark, the File -> Save As... menu item will let you save to a file a subset of the packets in the capture you currently have open.
Select "Save As..." from the "File" menu, and in the "Packet Range" stuff below the list of files, select "Specify a packet range:" and type in, for example...
> I've also uploaded a couple of screen shots, which hopefully reinforce
> my descriptions of what I'm seeing. On the LAN, it's packets 16 and
> 17. The WAN is 17 and 18.
..."16-17" for the LAN capture and "17-18" for the WAN capture.
Then enter a file name and click "Save"; that should save a file with only the two packets in question in it.
Then browse to a directory into which you can save the file,
> http://www.BogoLinux.net/LANFragments.png
> http://www.BogoLinux.net/WANFragments.png
OK, the header checksums are all valid (all four packets). However, the packets in the WAN capture *might* have been cut short by a snapshot length. If you can't save the offending packets and send them to us, can you indicate what's in the "Frame" portion of the packet detail pane for packet 17 in the WAN capture? In particular, what are the "Frame Length" and "Capture Length" values?
