Wireshark/IPv4 fragments

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze fragmented IPv4 traffic.

Readings[edit | edit source]

• Wikipedia: IPv4

Preparation[edit | edit source]

To prepare for this activity:

1. Start Windows.
2. Log in if necessary.
3. Install Wireshark.

Activity 1 - Capture Fragmented IPv4 Traffic[edit | edit source]

To capture fragmented IPv4 traffic:

1. Start a Wireshark capture.
2. Use ping -l 2500 <default gateway address> to ping the default gateway address with a 2,500 byte packet. Notice that because the default maximum transmission unit (MTU) for Ethernet frames is 1,500 bytes, this should generate fragmented packets.
3. Stop the Wireshark capture.

Activity 2 - Analyze Fragmented IPv4 Outbound Traffic[edit | edit source]

To analyze fragmented IPv4 outbound traffic:

1. Observe the traffic captured in the top Wireshark packet list pane. Look for traffic with ICMP listed as the protocol. To find only ICMP traffic, type icmp (lower case) in the Filter box and press Enter.
2. Select the first ICMP packet, labeled Echo (ping) request.
3. If you applied an icmp filter, clear the filter so you can see the IPv4 fragments.
4. Select the IPv4 packet immediately above the first ICMP packet.
5. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Internet Control Message Protocol frame.
6. Expand Internet Protocol Version 4 to view IP details.
7. Expand Flags to view flag details.
8. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
9. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
10. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
11. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) request.
12. View IP details.
13. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
14. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
15. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
16. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.

Activity 3 - Analyze Fragmented IPv4 Inbound Traffic[edit | edit source]

To analyze fragmented IPv4 inbound traffic:

1. In the top Wireshark packet list pane, select the second ICMP packet, labeled Echo (ping) reply.
2. Select the IPv4 packet immediately above the second ICMP packet.
3. View IP details.
4. Observe the More fragments field. Notice that it is set, indicating more fragments will follow.
5. Observe the Fragment offset field. Notice that it is 0, indicating this is the first fragment.
6. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
7. In the top Wireshark packet list pane, select the next packet, labeled Echo (ping) reply.
8. View IP details.
9. Observe the More fragments field. Notice that it is not set, indicating no more fragments will follow.
10. Observe the Fragment offset field. Notice that it is the same as the size calculated for the first fragment.
11. Observe the Total length and Header length fields. Subtract header length from total length to determine the size of this fragment.
12. Add the sizes of the two fragments together to determine total data length. It should be 2,508, indicating 2,500 bytes of ICMP data and an 8 byte ICMP header.
13. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References[edit | edit source]

• Wireshark: User's Guide
• Wireshark: IPv4