Re: Fragmented traffic

tedauction · ‎07-03-2018

Hello, I am seeing a lot of fragmented UDP 17 packets in a Wireshark sniff of incoming traffic from a Cisco 4900 switch (firmware 122-53.SG10) However when I run the command 'sh ip traffic' on the switch, the fragmentation statistics look empty. Can someone explain why this is ?

Thank you kindly

##sh ip traffic
IP statistics:
Rcvd: 1445188 total, 1404824 local destination
0 format errors, 0 checksum errors, 2072 bad hop count
0 unknown protocol, 562 not a gateway
0 security failures, 0 bad options, 29173 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 29173 alert, 0 cipso, 0 ump
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 1179774 received, 0 sent
Mcast: 132217 received, 120400 sent
Sent: 244084 generated, 3314915 forwarded
Drop: 2868 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 0 unicast RPF, 0 forced drop
0 options denied, 0 source IP address zero

ICMP statistics:
Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 2 unreachable
26786 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
Sent: 30951 redirects, 3 unreachable, 0 echo, 26786 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp
0 info reply, 3 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements

TCP statistics:
Rcvd: 711 total, 0 checksum errors, 1 no port
Sent: 555 total

Probe statistics:
Rcvd: 0 address requests, 0 address replies
0 proxy name requests, 0 where-is requests, 0 other
Sent: 0 address requests, 0 address replies (0 proxy)
0 proxy name replies, 0 where-is replies

UDP statistics:
Rcvd: 1364794 total, 0 checksum errors, 1180006 no port
Sent: 183751 total, 0 forwarded broadcasts

OSPF statistics:
Rcvd: 0 total, 0 checksum errors
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks

Sent: 0 total
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks

EIGRP-IPv4 statistics:
Rcvd: 0 total
Sent: 0 total

PIMv2 statistics: Sent/Received
Total: 1206/1200, 0 checksum errors, 0 format errors
Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 1206/1200
Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
Queue drops: 0
State-Refresh: 0/0

IGMP statistics: Sent/Received
Total: 902/11608, Format errors: 0/0, Checksum errors: 0/0
Host Queries: 594/0, Host Reports: 308/11513, Host Leaves: 0/40
DVMRP: 0/0, PIM: 0/0
Queue drops: 0

ARP statistics:
Rcvd: 303057 requests, 19571 replies, 53 reverse, 0 other
Sent: 2619 requests, 13147 replies (12641 proxy), 0 reverse
Drop due to input queue full: 0

balaji.bandi · ‎07-03-2018

Show us your wireshark output, we can not assume what traffic it was fragmented.

more information provided to give you right information and solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tedauction · ‎07-03-2018

Hello, attachment added showing fragmented traffic.

I think I may know why. The command 'sh ip traffic' only shows transiting fragmented packets i.e .not packets that were actually fragmented by the Cisco interface.

That would explain why the output of 'sh ip traffic' shows 0 fragmented packets, however my end client wireshark sniff does show fragmented packets.

Would you guys agree with that ?

Thank you.