Fragmented UDP frame - only receiving one frame when sending with tcpreplay or scapy

0
votes

I am replaying from a .pcap file that contains a single UDP datagram that has been fragmented into two frames. When using tcpreplay or scapy, both programs indicate they sent both frames, but I only receive 1 on the directly connected device. Any ideas why?

Packet capture located here

Edit: the connected device is a firewall and I am running tcpdump, so I would expect to see both frames

Edit2: tcpdump on the firewall should print all packets it receives, even if it were to be dropped for some reason. However, this is the only packet tcpdump prints:

968.681737 lan in 172.23.0.5.1812 -> 172.16.0.4.37507: udp 1434 (frag 4486:1424@0+)

1
udpipscapypcaptcpreplay
If the receiving device just use the normal socket API to receive UDP, perhaps the IP stack on the device works properly and therefore re-assembles those 2 packets and delivers one datagram to the application like it is supposed to.nos
I will edit the description above - the receiving device is a network device (a firewall), so I would expect to see both frames when using tcpdump on the firewall, but I just see the large fragment, not the final piece.john
Then you need to describe carefully how you observe/determine that the device only "sees" one packet. Some firewalls would certainly re-assemble UDP packets in order to properly apply firewall rules. Others could depending on your configuration throw away one of the fragments, you have to provide a lot of detailed description of what you are doing and how you have configured your firewall for anyone to provide help with this.nos
tcpdump on the firewall should print all packets it receives, even if it were to be dropped for some reason. However, this is the only packet tcpdump prints: 968.681737 lan in 172.23.0.5.1812 -> 172.16.0.4.37507: udp 1434 (frag 4486:1424@0+)john
Did you use any filters when you ran tcpdump ? (e.g. a port filter will only match the 1. fragment)nos

1 Answers

0
votes

You receive UDP datagrams, not fragments. If both fragments arrive, the IP layer will combine them, see that the packet is now complete, and pass it to the UDP layer, which will pass it to the receiving process. As a single reassembled datagram.