文章目录
- 报文分析笔记---常见wireshark报文标记
-
- Fragmented IP protocol
- Packet size limited during capture
- TCP Previous segment not captured
- TCP ACKed unseen segment
- TCP Out-of-Order
- TCP Dup ACK
- TCP Fast Retransmission
- TCP Spurious Retransmission
- TCP Retransmission
- TCP zerowindow
- TCP window Full
- TCP window Update
- TCP port numbers reused
- TCP segment of a reassembled PDU
- Continuation to
- Time-to-live exceeded (Fragment reassembly time exceeded)
- TCP keep-alive
- TCP keep-alive ACK
报文分析笔记—常见wireshark报文标记
Fragmented IP protocol
Fragmented IP protocol ----报文分片
关于报文分片,会在wireshark中有首选项进行配置;
当前取消勾选后:
关于该配置的说明:
简单说明,
开启该选项时,wireshark 会尝试重组分片报文,并会在成功重组报文之前,只会将报文分片解析为IP协议数据报文,即第一副图的IPV4协议报文;当然如第一图,分片后的IPV4报文并没有成功重组;
关闭该选项时,wireshark 不会进行分片报文的重组,直接解析,所以对于分片报文而言,可能会有异常的标记,需要注意;
第一副图IPV4报文未成功重组的原因,是环境异常,定位后原因为原始数据报文是IPIP隧道封装的双层报文,在数据传输中,途径的一个网元节点,是按照外层报文进行的分片hash,导致分片报文被hash到了不同的后端节点上,进而不能正确重组;即大包做了外层分片,不能保证同一个大包的不同分片能hash到同一个LD;
关于wireshark该选项的引用说明:
https://wiki.wireshark.org/IP_Reassembly
https://www.wireshark.org/lists/wireshark-users/200706/msg00116.html
IP Reassembly
IP Reassembly is a feature in Wireshark and TShark to automatically reassemble all fragmented IP Datagrams into a full IP packet before calling the higher layer dissector.
This feature will require a lot of extra memory to be consumed by wireshark in order to store the reassembly buffers and is disabled by default.
To enable IP Reassembly, go to preferences and tick the box for reassembly
When you enable IP Reassembly several things in TShark and Wireshark change. First of all, Wireshark will no longer dissect the UDP or TCP header (or any protocol above these) in the frame that contained the header of the IP packet any more. Instead, the calling of the UDP or TCP protocol dissectors will be deferred until all IP fragments have been received and the full IP datagram has been fully reassembled.
This difference shows up as that without IP Reassembly the upper layer protocol, UDP or TCP and whatever sits above it, as much as was present in this frame of the initial fragment (where fragment offset is 0) will be dissected and displayed for that particular frame. This frame will also usually have an information text in the packet summary line along the lines of “[Short Frame]”. All the other [IP Fragment](https://wiki.wireshark.org/IP Fragment)s for this IP datagram will be dissected only up to and including the IP layer.
When this feature is enabled, dissection of the IP datagram will be deferred until that packet in the capture where the full IP datagram was completely reassembled.
This means that some packets that are using reassembly, such as NFSoverUDP, will dissect differently, and even in different frames when IP Reassembly is enabled.
IP Reassembly is an all-or-nothing feature. If not every single [IP Fragment](https://wiki.wireshark.org/IP Fragment) required to complete the reassembly can be found in the capture, then nothing at all will be dissected. Not even the
最低0.47元/天 解锁文章
扫一扫
1533
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
