This feature will require a lot of extra memory to be consumed by wireshark in order to store the reassembly buffers and is disabled by default.
To enable IP Reassembly, go to preferences and tick the box for reassembly
When you enable IP Reassembly several things in TShark and Wireshark change. First of all, Wireshark will no longer dissect the UDP or TCP header (or any protocol above these) in the frame that contained the header of the IP packet any more. Instead, the calling of the UDP or TCP protocol dissectors will be deferred until all IP fragments have been received and the full IP datagram has been fully reassembled.
This difference shows up as that without IP Reassembly the upper layer protocol, UDP or TCP and whatever sits above it, as much as was present in this frame of the initial fragment (where fragment offset is 0) will be dissected and displayed for that particular frame. This frame will also usually have an information text in the packet summary line along the lines of "[Short Frame]". All the other IP Fragments for this IP datagram will be dissected only up to and including the IP layer.
IP Reassembly is an all-or-nothing feature. If not every single IP Fragment required to complete the reassembly can be found in the capture, then nothing at all will be dissected. Not even the TCP or UDP layer.
Common reasons why IP Reassembly fails to reassemble packets:
- IP Header Checksum is invalid. If the IP Header Checksum is invalid, then the IP Reassembly function will ignore the packet.
Some of the IP Fragments are just plain missing from the capture. This is a fact of life, you will never have a guarantee that every single packet that went across the wire was actually captured and written to the Capture File. sorry that is just a fact of life
This feature WILL consume a lot of additional memory at runtime if there are IP Fragments present in the trace. It is a very very bad idea to enable this feature for huge NFSoverUDP traces since that will eat memory like there is no tomorrow.
To enable IP Reassembly tick this preference setting
Reassemble fragmented IP datagrams.