Wireshark · Wireshark-users: Re: [Wireshark-users] Possible incorrect behaviour?

Wireshark-users: Re: [Wireshark-users] Possible incorrect behaviour?

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>

Date: Sun, 15 Apr 2007 08:21:20 +0800



Eckard Brauer wrote:

Hello there,
I have Wireshark 0.99.5 on Gentoo capturing a little multicast traffic. Thetraffic has some IP fragmentation, so the IP section of the first frame tellsme that "Reassembled IP in frame: #of_last_frame" while this tells me "[IPFragments (1382 bytes): #of_frames]" (frames an their data payloads (1280+102bytes) are listed there).
The following section of this frame is the reassembled UDP packet. Wiresharkmarks the UDP section head and Length in red and complains about "Length:1382 (bogus, should be 102)".
This seems incorrect to me, because the whole (reassembled) UDP packet is 1382bytes long, independend on that this is more than the actual frame's payloadis (I'm aware of problems with fragmented UDP traffic, but in case allfragments have been caught, shouldn't it appear as a correct UDP datagram?).

Yes it's incorrect, see bug 1462 in the bugs database. It was fixedshortly after 0.99.5 was released so you can try out one of the buildbotbuilds if you want.

References:
- [Wireshark-users] Possible incorrect behaviour?
  - From: Eckard Brauer

Prev by Date: Re: [Wireshark-users] How to propose a new feature?
Next by Date: Re: [Wireshark-users] How to propose a new feature?
Previous by thread: [Wireshark-users] Possible incorrect behaviour?
Next by thread: [Wireshark-users] Decoding Email Packets
Index(es):
- Date
- Thread