0

I was playing around with dpkt in Python, trying to decode PPPoE - and the program was working just fine, till I noticed that the Offset in the encapsulation IP packets was always 0, even with clearly fragmented packets.

Capture

As can be seen, the server is sending 1492-byte packets (because of the PPPoE encapsulation, I suppose), and a last packet of 1365. But offset is always 0 - shouldn't it be increasing?

Of course I suspected my program, but I checked the same transfer with Wireshark and got the same result.

Am I interpreting this the wrong way?

jcoppens
  • 103
  • 1
  • 1
    I don't see anything in your question to show "_clearly fragmented packets._." Why do you think the packets are fragmented? – Ron Maupin Dec 22 '16 at 21:24
  • The contents of the packets belong together - they conform a single HTML page (checked their payloads). In another case, I found the splice in the middle of a '__VIEWSTATE' variable. I thought that was motive enough? – jcoppens Dec 23 '16 at 03:48
  • 1
    TCP will segment, but that has nothing to do with IP fragmentation. Don't confuse TCP segmentation (layer-4) with IP fragmentation (layer-3). – Ron Maupin Dec 23 '16 at 03:50
  • @Ron Maupin Nice... I did read a lot of fragmentation, somehow missed segmentation at TCP. Who determines the 1492 limit. Found a nice item on this: http://networkengineering.stackexchange.com/questions/8288/difference-between-mss-and-mtu (On Network Engineering - I guess there's some overlap in the forums). – jcoppens Dec 23 '16 at 03:57
  • The MSS (Maximum Segment Size) of TCP is based on the MTU. We also now have PMTUD to discover the minimum MTU between the TCP peers. – Ron Maupin Dec 23 '16 at 04:02

2 Answers2

2

No, those are not fragments. You're seeing 1492 byte packets from the server and 40 byte packets (TCP ACKs?) back to the server. Because they are not fragments the offset is indeed always 0.

Wireshark will show you whether packets are fragments or not. If you show more detailed information from Wireshark we can give you more information about what exactly is in each packet.

Sander Steffann
  • 7,712
  • 19
  • 29
  • Thanks! I do understand that the parts are confirmed separately. So, who took the decision to do that fragmentation? (The packets really belong together - they form just a single HTML page). If it's not the IP layer... – jcoppens Dec 23 '16 at 03:44
  • 1
    Those are not fragments, those are multiple separate packets that belong to the same tcp steam. Tcp splits the data steam up in multiple packets. If one of those packets doesn't fit on a link in the path because the link's mtu is too small then that packet would get fragmented. Splitting up data can occur at multiple levels, and you're confusing the segmentation of tcp with fragmentation of packets. Don't worry, it's not surprising :) It can be hard to understand all the layers and protocols and possibilities unless you study them extensively! – Sander Steffann Dec 23 '16 at 13:27
0

I would recommend installing tracepath (not traceroute) and using it to check the MTUs on all the hops. If you don't want fragmented packets, keep the MTU on the server set below the lowest MTU on the hop path.

Jimi Thompson
  • 46
  • 1
  • I don't really want to change anything. I just wanted to relate the network protocol docs with what I observed. And I have no control over the server's MTU. – jcoppens Dec 23 '16 at 03:46