Wireshark-users: Re: [Wireshark-users] Assembling of fragmented IP protocol packets

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 24 Apr 2007 20:36:06 +0200
On Tue, Apr 24, 2007 at 08:21:38PM +0200, Franz Edler wrote:
> Thanks again. You are right. The packets are cut after 1500 bytes.
> 
> The problem is now at Linux tcpdump which was the tool that produced the
> trace.

Did you by any chance use a filter with port numbers? Since port numbers 
are only present in the IP-fragment that has the UDP/TCP header in it
all the other fragments are not seen by the filter.

If you only filter on ip-addresses you should be fine though :)

Hope this helps,   Cheers,


Sake