Wireshark-users: Re: [Wireshark-users] Length reported in UDP header

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 30 Jul 2009 07:42:13 +0200
On Wed, Jul 29, 2009 at 09:34:51PM -0700, Rayne wrote:
> 
> Is it common for UDP packets to have the length in its header reported
> wrongly? I'm writing a program that simply parses through the various
> headers in a packet, and I'm getting a lot of values larger than 1500
> in my variable "size_udp", which is obtained via
> 
> size_udp = ntohs(udp->len);
> 
> where udp points to the beginning of the UDP header and len is the
> length field in the UDP header.
> 
> I'm not sure if I'm parsing incorrectly, or if it's inherent in UDP
> packets, as I do get correct size_udp values for other UDP packets as
> well.

UDP PDU's can be larger than 1500 octets. If they won't fit in one IP
datagram, the IP layer fragments the UDP PDU into multiple IP datagrams
setting the "more fragments" flag (ip.flags.mf) and the "fragment
offset" (ip.frag_offset).

This is very common for NFS over UDP. If a blocksize of 8192 is picked,
the NFS packet will be put in one UDP PDU, being fragmented by IP into 6
IP datagrams.

Hope this helps,
Cheers,


Sake

PS  Wireshark is capable of reassembling the IP fragments so that the
UDP dissector will see the whole UDP PDU at once, making it possible for
the higher layer dissectors to dissect it's PDU's correctly.