I Smell Packets


Fragments in tcpdump and Wireshark
May 19, 2009, 11:07 pm
Filed under: Fragment, tcpdump, Wireshark

After the last Packet Challenge I received questions from a couple of individuals about viewing fragments in tcpdump and Wireshark.

To view the IP ID, the More Fragments Flag, and the Fragment Offset in tcpdump use the -v switch:

tcpdump -v

The -v switch stands for verbose. For even more detailed information add another one or two v’s:

tcpdump -vv or tcpdump -vvv

Wireshark by default reassembles fragments. To change this default behavior edit the preferences. In the Edit menu, select Preferences, expand the Protocols section, select IP, and uncheck the Reassemble fragmented IP datagrams checkbox.

For more information on Fragmentation the following is a link to The TCP/IP Guide section on the IP Message Fragmentation Process:

The TCP/IP Guide – IP Message Fragmentation Process

Advertisement
Leave a Comment

Leave a Comment so far
Leave a comment

RSS feed for comments on this post.


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s



%d bloggers like this: