Below statement found in cisco website, saying only non-fragment & initial Fragment packets contain Layer 4 header,
and non-initial fragments do not contain.
""Non-initial fragments are traditionally allowed through the ACL because they can be blocked based on Layer 3 information in the packets; however, because these packets do not contain Layer 4 information, they do not match the Layer 4 information in the ACL entry, if it exists.""
But as per my lab test, only non-fragment and the final fragment contains Layer 4 header, not an initial one!.
I have attached packet capture below, can anyone explain, please?
you are using a small server / service called ECHO on TCP port 7.
see the following thread from learning network for additional info
In fact, the last packet is recognized as ECHO in the packet capture.
The ECHO service is described here in the following RFC
TCP Based Echo Service One echo service is defined as a connection based application on TCP. A server listens for TCP connections on TCP port 7. Once a connection is established any data received is sent back. This continues until the calling user terminates the connection.
My guess is that what you see is application specific, because this ECHO service sends back the received traffic in reverse order with the objective to provide a way to measure RTT = Round Trip Time. = two ways delay.
This protocol on the UDP port 7 is actually used for Wake on LAN.
So I would suggest you to setup an FTP server for example and to repeat your tests with a conventional application like FTP.
The results of the new tests should show that the layer4 information is contained in the first fragment and not in the last one as I have always seen in my packet captures.
In other words you have found an exception to the general rule, given the peculiar nature of the ECHO service.
>> I hope your switching exam has been successful.
Hope to help
Thank you for the reply,
Let me do the test with other protocol as you said.
I'm glad you remember me!
With your helping hands I successfully completed my switch exam.
Hello @Giuseppe Larosa
I have captured TCP fragments, below is the packet details
But I could see only all the collected fragments, could you help me to find any other way to see TCP header only in the first fragment.