IP_Reassembly

IP Reassembly

IP Reassembly is a feature in Wireshark and TShark to automatically reassemble all fragmented IP Datagrams into a full IP packet before calling the higher layer dissector.

This feature will require a lot of extra memory to be consumed by wireshark in order to store the reassembly buffers and is disabled by default.

To enable IP Reassembly, go to preferences and tick the box for reassembly ipreassembly.jpg

When you enable IP Reassembly several things in TShark and Wireshark change. First of all, Wireshark will no longer dissect the UDP or TCP header (or any protocol above these) in the frame that contained the header of the IP packet any more. Instead, the calling of the UDP or TCP protocol dissectors will be deferred until all IP fragments have been received and the full IP datagram has been fully reassembled.

This difference shows up as that without IP Reassembly the upper layer protocol, UDP or TCP and whatever sits above it, as much as was present in this frame of the initial fragment (where fragment offset is 0) will be dissected and displayed for that particular frame. This frame will also usually have an information text in the packet summary line along the lines of "[Short Frame]". All the other IP Fragments for this IP datagram will be dissected only up to and including the IP layer.

When this feature is enabled, dissection of the IP datagram will be deferred until that packet in the capture where the full IP datagram was completely reassembled.

This means that some packets that are using reassembly, such as NFSoverUDP, will dissect differently, and even in different frames when IP Reassembly is enabled.

IP Reassembly is an all-or-nothing feature. If not every single IP Fragment required to complete the reassembly can be found in the capture, then nothing at all will be dissected. Not even the TCP or UDP layer.

Common reasons why IP Reassembly fails to reassemble packets:

Beware

This feature WILL consume a lot of additional memory at runtime if there are IP Fragments present in the trace. It is a very very bad idea to enable this feature for huge NFSoverUDP traces since that will eat memory like there is no tomorrow.

Display

To enable IP Reassembly tick this preference setting ipreassembly.jpg

Preference String

Reassemble fragmented IP datagrams.


Imported from https://wiki.wireshark.org/IP_Reassembly on 2020-08-11 23:15:19 UTC