Wireshark-users: Re: [Wireshark-users] Ping data size

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 24 Mar 2009 08:28:24 -0700

On Mar 24, 2009, at 8:00 AM, Gustavo Vera Heredia wrote:

I wonder if you could explain me why this happens: I ping from one computer to another one in my network. My ping data size is 2000 bytes but I see that the frames containing the ping request and reply

Those are the frames containing the *last part* of the ping request and the *last part* of the ping reply.

have only 562 bytes, why not 2000??. Why is that?

Because this is on an Ethernet, and you can't have a packet with more than 1514 bytes (not counting the CRC) on an Ethernet.

Therefore, a 2000-byte ping over IPv4, with no IP options, which has:

	20 bytes of IPv4 header;

	8 bytes of ICMP header;

	2000 bytes of data;

and is thus a 2028-byte IPv4 packet, must be split into multiple Ethernet packets; this is called "IP fragmentation". Each "IP fragment" contains an Ethernet header and an IPv4 header, for a total of 34 bytes, leaving room for 1480 bytes of IPv4 payload. Therefore, the first fragment has:

	14 bytes of Ethernet header;

	20 bytes of IPv4 header;

	8 bytes of ICMP header;

	the first 1472 bytes of the ping data;

for a total of 1514 bytes, and the next fragment has:

	14 bytes of Ethernet header;

	20 bytes of IPv4 header;

	the remaining 528 bytes of the ping data;

for a total of 562 bytes.

Wireshark can do IPv4 reassembly, meaning that it gathers the data from all of the fragments and, when it sees the final fragment, reassembles them and dissects the reassembled packet, so the last fragment is dissected as the reassembled packet, so it *appears* to be only 562 bytes long. That's the size of the final fragment, but, if you look at the dissection, you'll notice that it's reassembled the fragments and, when it's dissecting the ICMP header and the data, is dissecting the reassembled data, not just the 528 bytes of ping data in that fragment.