On Mar 24, 2009, at 8:00 AM, Gustavo Vera Heredia wrote:
I wonder if you could explain me why this happens: I ping from one
computer to another one in my network. My ping data size is 2000
bytes but I see that the frames containing the ping request and reply
Those are the frames containing the *last part* of the ping request
and the *last part* of the ping reply.
have only 562 bytes, why not 2000??. Why is that?
Because this is on an Ethernet, and you can't have a packet with more
than 1514 bytes (not counting the CRC) on an Ethernet.
Therefore, a 2000-byte ping over IPv4, with no IP options, which has:
20 bytes of IPv4 header;
8 bytes of ICMP header;
2000 bytes of data;
and is thus a 2028-byte IPv4 packet, must be split into multiple
Ethernet packets; this is called "IP fragmentation". Each "IP
fragment" contains an Ethernet header and an IPv4 header, for a total
of 34 bytes, leaving room for 1480 bytes of IPv4 payload. Therefore,
the first fragment has:
14 bytes of Ethernet header;
20 bytes of IPv4 header;
8 bytes of ICMP header;
the first 1472 bytes of the ping data;
for a total of 1514 bytes, and the next fragment has:
14 bytes of Ethernet header;
20 bytes of IPv4 header;
the remaining 528 bytes of the ping data;
for a total of 562 bytes.
Wireshark can do IPv4 reassembly, meaning that it gathers the data
from all of the fragments and, when it sees the final fragment,
reassembles them and dissects the reassembled packet, so the last
fragment is dissected as the reassembled packet, so it *appears* to be
only 562 bytes long. That's the size of the final fragment, but, if
you look at the dissection, you'll notice that it's reassembled the
fragments and, when it's dissecting the ICMP header and the data, is
dissecting the reassembled data, not just the 528 bytes of ping data
in that fragment.
