Packet is fragmented but the flags are on Don't Fragment

0
votes

I have the following 2 TCP packets I'm picking up on winpcap:

http://pastebin.com/FUAs3UZ7 or in a pcap format https://www.dropbox.com/s/0ss4j0weszy92no/SO.pcap

Those 2 packets are to be reassembled, but their IP flags are "010", meaning "Don't Fragment", and the fragment offset is on 0. They do have a consecutive identification number, but if I understand correctly this alone is not enough to define a fragmented packet.

Wireshark does reassemble those packets, and I can't really understand why.

What am I missing here? How does Wireshark know to reassemble those 2 packets?

1
networkingtcpiplibpcapwinpcap

1 Answers

1
votes

First packet:

00 80 f4 09 e6 a5 - Ethernet destination address

00 50 56 26 ab 04 - Ethernet source address

08 00 - Ethernet type, which is IPv4

45 - IP version (4, for IPv4) and header length (5, for 5*4 = 20 bytes)

00 - DSCP/ECN (or TOS, in the old days)

02 40 - total length (576 bytes)

74 ff - identification

40 00 - flags and fragment offset; DF, and a fragment offset of 0

80 - time to live

06 - protocol, which is TCP

When you say "Wireshark does reassemble those packets", are you referring to IP reassembly or TCP reassembly? Those take place at different layers, and I suspect what Wireshark is doing is reassembling all or part of the TCP segment in the first packet and the TCP segment in the second packet to make a packet for the protocol running on top of TCP; TCP is a byte-stream protocol, so there is no guarantee that TCP segment boundaries (which turn into link-layer frame boundaries in almost all cases) correspond to packet boundaries for protocols running on top of TCP.