Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
5
Helpful
3
Replies

IP Fragments Header

sivam siva
Level 3
Level 3

‎09-26-2019 04:21 PM

Hello all

 

Below statement found in cisco website, saying only non-fragment & initial Fragment packets contain Layer 4 header, 

and non-initial fragments do not contain.

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html

""Non-initial fragments are traditionally allowed through the ACL because they can be blocked based on Layer 3 information in the packets; however, because these packets do not contain Layer 4 information, they do not match the Layer 4 information in the ACL entry, if it exists.""

 

But as per my lab test, only non-fragment and the final fragment contains Layer 4 header, not an initial one!.

I have attached packet capture below, can anyone explain, please?IP Frag.JPG

 

Thanks 

Siva

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-26-2019 10:25 PM

Hello Siva,

you are using a small server / service called ECHO on TCP port 7.

 

see the following thread from learning network for additional info

 

https://learningnetwork.cisco.com/thread/120555

 

In fact, the last packet is recognized as ECHO in the packet capture.

 

The ECHO service is described here in the following RFC

 

https://tools.ietf.org/html/rfc862

 

>>

TCP Based Echo Service

   One echo service is defined as a connection based application on TCP.
   A server listens for TCP connections on TCP port 7.  Once a
   connection is established any data received is sent back.  This
   continues until the calling user terminates the connection.

 

My guess is that what you see is application specific, because this ECHO service sends back the received traffic in reverse order with the objective to provide a way to measure RTT = Round Trip Time. = two ways delay.

see

https://en.wikipedia.org/wiki/Echo_Protocol

 

This protocol on the UDP port 7 is actually used for Wake on LAN.

 

So I would suggest you to setup an FTP server for example and to repeat your tests with a conventional application like FTP.

The results of the new tests should show that the layer4 information is contained in the first fragment and not in the last one as I have always seen in my packet captures.

In other words you have found an exception to the general rule, given the peculiar nature of the ECHO service.

 

>> I hope your switching exam has been successful.

 

Hope to help

Giuseppe

 

sivam siva
Level 3
Level 3
In response to Giuseppe Larosa

‎09-27-2019 04:06 AM - edited ‎09-27-2019 04:09 AM

Hi @Giuseppe Larosa 

 

Thank you for the reply,

Let me do the test with other protocol as you said.

 

I'm glad you remember me!

With your helping hands I successfully completed my switch exam.

 

Regards 

Siva

 

 

0 Helpful

sivam siva
Level 3
Level 3
In response to Giuseppe Larosa

‎10-23-2019 04:14 AM

Hello @Giuseppe Larosa 

 

I have captured TCP fragments, below is the packet details 

tcp fregments.JPG

 

But I could see only all the collected fragments, could you help me to find any other way to see TCP header only in the first fragment.

 

Thanks 

Siva

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card