0

I am replaying from a .pcap file that contains a single UDP datagram that has been fragmented into two frames. When using tcpreplay or scapy, both programs indicate they sent both frames, but I only receive 1 on the directly connected device. Any ideas why?

Packet capture located here

Edit: the connected device is a firewall and I am running tcpdump, so I would expect to see both frames

Edit2: tcpdump on the firewall should print all packets it receives, even if it were to be dropped for some reason. However, this is the only packet tcpdump prints:

968.681737 lan in 172.23.0.5.1812 -> 172.16.0.4.37507: udp 1434 (frag 4486:1424@0+)

john
  • 85
  • 3
  • 10
  • If the receiving device just use the normal socket API to receive UDP, perhaps the IP stack on the device works properly and therefore re-assembles those 2 packets and delivers one datagram to the application like it is supposed to. – nos Jul 12 '17 at 22:14
  • I will edit the description above - the receiving device is a network device (a firewall), so I would expect to see both frames when using tcpdump on the firewall, but I just see the large fragment, not the final piece. – john Jul 12 '17 at 22:23
  • Then you need to describe carefully how you observe/determine that the device only "sees" one packet. Some firewalls would certainly re-assemble UDP packets in order to properly apply firewall rules. Others could depending on your configuration throw away one of the fragments, you have to provide a lot of detailed description of what you are doing and how you have configured your firewall for anyone to provide help with this. – nos Jul 12 '17 at 22:28
  • tcpdump on the firewall should print all packets it receives, even if it were to be dropped for some reason. However, this is the only packet tcpdump prints: `968.681737 lan in 172.23.0.5.1812 -> 172.16.0.4.37507: udp 1434 (frag 4486:1424@0+)` – john Jul 12 '17 at 22:51
  • Did you use any filters when you ran tcpdump ? (e.g. a port filter will only match the 1. fragment) – nos Jul 13 '17 at 06:43
  • I did have a port filter on, and now without it, I do see both fragments. Which is strange because I took the capture that I am replaying originally using tcpdump with a port filter - will have to investigate this separately. Anyway, here are both packets for information's sake. Feel free to post your previous comment as an answer and I will mark correct. `32.033421 lan -- 172.23.0.5.1812 -> 172.16.0.4.37507: udp 1434 (frag 4486:1424@0+)` `32.160564 lan -- 172.23.0.5 -> 172.16.0.4: ip-proto-17 (frag 4486:18@1424)` – john Jul 13 '17 at 16:24

1 Answers1

0

You receive UDP datagrams, not fragments. If both fragments arrive, the IP layer will combine them, see that the packet is now complete, and pass it to the UDP layer, which will pass it to the receiving process. As a single reassembled datagram.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • That's true for socket based apps, but not tcpdump which should show all of the ethernet frames. In this case, it's only showing the first IP fragment, not the reassembled IP packet. – Aaron Turner Jul 15 '17 at 16:26