Wireshark-users: Re: [Wireshark-users] Wireshark fails to display UDP packets

From: Chris Maynard <Chris.Maynard@xxxxxxxxx>
Date: Thu, 1 Dec 2011 18:31:21 +0000 (UTC)
Stephen Fisher <steve@...> writes:

> > What I don't understand is, why wireshark does not detect UDP 
> > protocol, when IP protocol has already detected it. Maybe that will 
> > help me see what mistake is done in the frame.
> 
> I suspect it is because the packets are fragmented IP.  Do you have the 
> "reassemble fragmented IPv4 datagrams" preference enabled under the IPv4 
> protocol preferences?

Even if the "reassemble fragmented IPv4 datagrams" preference is enabled, the IP
fragments will still only be displayed as you see in the picture.  The only
difference would be with the last fragment - if all fragments were present (and
not ignored, as it looks like might be the case from the attached screen shot) -
then Wireshark could reassemble the IP fragments into a complete UDP packet.

If you don't want to bother looking at the unreassembled IP fragments, you can
use a display filter to exclude them, such as with something like,
"!(ip.flags.mf == 1)" or simply "udp".

Of course if you don't have "reassemble fragmented IPv4 datagrams" enabled, then
"udp" will match the first fragment instead of the last/reassembed one, so you
might decide to change your filter a bit to something like, "ip.frag_offset ==
0" or again, you could just use "udp".  Note that you won't see the entire
reassembled packet in this case, but the UDP header will be dissected as well as
however many bytes of UDP payload data were present in the first fragment. 

- Chris