Wireshark · Wireshark-users: Re: [Wireshark-users] the Fragment offset field in IP packet should follow the Raw bitstream？

Wireshark-users: Re: [Wireshark-users] the Fragment offset field in IP packet should follow the R

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>

Date: Tue, 23 Jun 2020 09:59:42 +0200

Hi,

Oh, wasn’t expecting that. Digging further in the 3.0 branch I found that the bitfield was re-introduced, in 2.4.

commit 558fe23226b69665dd66ee15bed2f7492653aa09
Author: Anders Broman <anders.broman@xxxxxxxxxxxx>
Date:   Thu Jul 20 16:02:54 2017 +0200

  [IP] Simplify paring of flags field by using
  proto_tree_add_bitmask_with_flags().

which was changed again and subsequently fixed:

commit 89beba7ea6c4e53c53349d2dc730db6ff4644979
Author: João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx>
Date:   Thu Jan 23 02:13:40 2020 +0000

  IPv4: Fix display of Fragment Offset field

Based on bug 16344 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16344)

Thanks,

Jaap

On 21 Jun 2020, at 04:26, damker <damker@xxxxxxxx> wrote:

my version was 3.0.6.
when i upgrade to 3.0.11, it shows like this "Fragment offset: 856".

damker

发件人： Jaap Keuter
发送时间： 2020-06-19 23:10
收件人： Community support list for Wireshark
主题： Re: [Wireshark-users]the Fragment offset field in IP packet should follow the Raw bitstream？
That was a nice bit of source code archeology, but I’ve found that this format was changed in commit 7f6d5c04a86 with the comment:

commit 7f6d5c04a869525d31e8d6e260d5195857481031
Author: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Date:   Wed Aug 29 15:35:27 2007 +0000

  Don't show fragment offset as a bit field, but note number of bits used in long text.

  svn path=/trunk/; revision=22727

Note the date, that was back in 2007, so this format disappeared before Wireshark 1.0.
Where did you get this from?

Thanks,
Jaap

On 19 Jun 2020, at 09:48, damker <damker@xxxxxxxx> wrote:

an IP packet decode As follows:
...
  Flags: 0x006b
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
    ...0 0011 0101 1000 = Fragment offset: 856
    Time to live: 128

I know that it says "The fragment offset is measured in units of 8 octets (64 bits)" in RFC 791.
my question is: Flags = 0x006b, the "...0 0011 0101 1000 = Fragment offset: 856" should be "...0 0000 0110 1011 = Fragment offset: 856"?
I think the second one is more clear.

damker

References:
- [Wireshark-users] Leverage wireshark dissection tree in a 3rd party program
  - From: Matt
- [Wireshark-users] the Fragment offset field in IP packet should follow the Raw bitstream？
  - From: damker
- Re: [Wireshark-users] the Fragment offset field in IP packet should follow the Raw bitstream？
  - From: Jaap Keuter
- Re: [Wireshark-users] the Fragment offset field in IP packet should follow the Raw bitstream？
  - From: damker

Prev by Date: Re: [Wireshark-users] the Fragment offset field in IP packet should follow the Raw bitstream？
Previous by thread: Re: [Wireshark-users] the Fragment offset field in IP packet should follow the Raw bitstream？
Index(es):
- Date
- Thread