Martin Pyne wrote:
I've been experiencing some interesting issues lately regarding a NFS
scan I did released. There are several packets that, when the
"Reassemble fragmented IP diagrams" option is selected in Preferences ->
IP, show under "Info" "Fragmented IP protocol (proto=UDP 0x11, off=0)".
"off=0" means that this is the first fragment of a fragmented IP datagram.
When that option is deselected, the packets show "V3 READ Reply (Call In
2941532) Len: 32768[Unreassembled]".
The fragmented IP datagram in question contains an NFSv3 reply to a READ
request. As you turned off IP datagram reassembly, Wireshark doesn't
try to find all the fragments of the fragmented IP datagram, and
reasemble them, before dissecting the packet data above the IP layer;
instead, it tries to dissect what part of the datagram is available in
the first fragment, and quits and marks the packet as unreassembled when
it runs out of data in the first fragment.
If only the first fragment is in your capture, then, when reassembly is
enabled, the reassembly will fail.
If you captured with a capture filter of, for example, "port 2049", only
the first fragment will be captured, as the UDP header, which contains
the source and destination port numbers, is in the first fragment.
Capture filtering (as offered by the kernel in many OSes) is
"stateless", so it can't arrange to capture all the fragments.
