The fact that Chris thought "There might be someone who is interested in learning this, so let's make a video" in itself is great. Thank you so much Chris!
Thanks chris , i used to bypass fragmented packets in wireshark during analysis cause i couldnt understand it , you helped too much to change the idea of fragmentation complexity Great vidio and explanation , thanks so much , really appaociated
excellent video. It shows that you have the concepts very well since you can describe them in an extremely simple way so that anyone can understand it... Thanks for the brilliant videos you have.
Nice video, always enjoy the content you put out. At 2:35, I think you made a mistake here. The 1500 byte packet gets split into a 1400 byte packet and a 120 byte packet (assuming we are talking about L3 inclusive of headers here).
This is awesome, I'd been looking for this answer since last year after I failed in my Interview and I finally got the answer! Thank you very much. Its simple and well explained.
One thing to bear in mind is fragmentation is deprecated, replaced with Path MTU Discovery (PMTUD), where routers are not allowed to fragment and must return a too big ICMP message on oversize packets. This is mandatory on IPv6 and often happens on IPv4 by setting the do not fragment flat.
Chris is so good, I watch his videos on topics I already know, just to see how he approaches the topic. Nice shout out to network chuck, hopefully Chris doesn’t get all clickbaity like him 🥴
Chris, good job, It will be very interesting for a lot lite more advance users if you can make a video about how to detect network shaper from ISP side (our ISP limit us to what they claim or they do something else ... )
GREAT catch! So Wireshark doesn't calculate the FCS as a part of the length. So that is why the frame is 1514 and the remaining part of the Ethernet frame is 14 bytes.
Hello Chris, What I did not understand why did you mentioned that the MTU size is low then fragmentation happens? Opinion - Doesn't the fragmentation occurs only when the MTU size is higher than 1500bytes? That means if the value is somewhere say 2000bytes then the fragmentation occurs.
Hey Ratnavo - fragmentation is only necessary when the MTU is lower than the packet size. If I have an MTU that is larger than 1500, then there is no need to break up a 1500 byte packet, which is the max in most environments. Hope that helps.
Hi sir ,i want to know if UDP support MTU and how can we make change so client and server can see each other Mtu size on UDP ,is there a registry or some change we can do on OS?
I created a display column for time-to-live and it seems that every value in the column is an integer power of 2: 1, 32, 128 and so on. So, I believe this capture file came from the server side of the network and I need to capture the client side or some other node to see a value in time-to-live that's not an integer power of 2.
Hi Chris, that is great stuff. Came here because Im starting out on this journey from scratch after a career in Oil. After doing a lab and not knowing anything about wireshark I found your site and clicked on the first video that came up. I will go through your wireshark class then head back over to ine and complete the lab. I like the way you explain this stuff, seems to resonate with me. Subbed and appreciated cheers mate.
So i understand how Fragmentation works, and I understand what Segmentation does, but my question is: If it is common practice to use segmentation to ensure that the eventual frame being transmitted does not exceed the path MTU, then in what scenario would we need fragmentation?
Nice video, Chris Greer !!!!! Can I force my packets to disable the "flags" so wireshark can't know? Like experiment idk if that even have implications. ik dumb question. 😂
Thanks for the awesome video. Do you have any plan how can we split big pcap file to small? I have file with thousands of sessions but I need to filter only 2 sessions and send it to third party. Appreciate if you can guide.
Hey Tariq - sure use editcap on the command line. It gets installed with wireshark. If editcap is a part of your path, you can just use this syntax: editcap -c 100 big.pcap small pcap That will break up the big pcap into a bunch of small pcaps of 100 packets each. You can decide how many packets you want in each one.
The million dollar question: Is fragmentation bad? I mean if I need a 2mb pdf or a 10gb game it would still need to be sliced, right? Would you consider fragmentation as a network problem? Would fragmentation slow down an application? Thanks.
Fragmentation isn't ideal. It takes more process for the router to break it up, then the receiver to reassemble it. There would probably have to be a significant amount of fragmentation to impact performance - but the real problem is the packets that cannot be fragmented. Those will need to be retransmitted. That is what will KILL performance.
Understood @@ChrisGreer thanks for the explanation. Not too long ago a customer had problems over a VPN, the RTT was always fine, I noticed some fragmentation but it was still pretty fast and it didn't explain the app hanging for 90secs. I asked the server team to review but I never got a response back and it still bothers me hahahaha
IP won’t be able to reassemble it to pass it up the stack to tcp. So tcp will treat it as a lost segment and it will have to retransmit the whole thing.
@@ChrisGreer Oh thanks! Please more questions if you don't mind. Do you know how one can modify the TCP/IP PDU to include some custom fields? I am experimenting with some SDN stuffs on mininet, hopefully you know about it?
@@ChrisGreer Also, you talk about re-assembly for fragmented IP packets. Is it the same with packet re-ordering. My current understanding of packet re-ordering is destination re-arranging the packets when they arrive out of sequence probably due to traversing different paths. Am I right on this? Kindly shed lights please. Thanks.
Great explanation and content. Leaving this comment for the algorithm, but if you keep putting out this kind of high quality content, you won't need any help from me. Keep up the great work!
@@ChrisGreer Thank you Chris... I saw your video on congestion avoidence which is actually slowing down the mss once it reach to the specific limit but it's not actually avoiding the congestion I saw ECN is doing the congestion avoidence... Could you please do the video on ECN flag ... With wireshark captures
For IPv6, fragmentation is handled by the endpoints, not the network infrastructure. Check out datatracker.ietf.org/doc/html/rfc2460#page-18 for more info.
Hello Nayan. Only 13 bits in the header are used to indicate the offset. If this represented a bit-level offset, we could only offset up to 1024 bytes, which is not even up to the max MTU in most environments. Counting bytes allows for a byte offset up to 8192, which is more in line with the purpose of needing a fragment in the first place. At this point we can't adjust the number of bits allocated without breaking the protocol. So... bytes it is!
I have one more question but not with Fragmentation. How browser is using existing session to do ssl handshake. I thought browser will reuse existing session ID from previous SSL handshake. Today I capture logs for one website, I access the site first then kept the browser idle for 5 min and then again refresh the same page. I have seen client hello going out but then I see this message "Change Cipher Spec, Application Data" from my system. There was no server hello msg and when I checked session ID then that was also different. not sure on what basis my browser did ssl handshake.
Good stuff Chris !!!! Keep them coming and much appreciated. It's good to review the basics from time to time.
Thanks for the comment Dirk! The fundamentals are everything.
@@ChrisGreer Agreed......
Dude I could literally watch you whole day. Such a calm and smooth explanation
Thanks for the comment!
Chris, you never cease to explain anything with utmost clarity and precision. You inspire to learn more!
Thank you for the kind comment!
The fact that Chris thought "There might be someone who is interested in learning this, so let's make a video" in itself is great. Thank you so much Chris!
Thank you for thinking that! Happy that other people like to learn the same stuff my brain finds interesting. 😄
@@ChrisGreer You probably have a fair idea how many of us resonate with your ideas. Way to go 🥳
I love your explanation, the practical with wireshark and tone of your voice... it really sinks in...
Thanks a lot
why I’m really finding you now? you’ve been here for 2 years and dumb me just found you, anyway you are awesome teacher keep up the great work❤
Thank you! I’ll still be around so check back in from time to time!
Super quality video! I learned so much, I love that you show us the packets so we can see whats really going on. Its a great style of learning!
Glad you enjoyed it!
Taking this class in college rn and the explanations weren’t getting through but this really helps a lot
thank you Chris for sharing all these staffs to help network engineers being in the riight direction !
My hope is to one day be as good as you. Thank you so much for all the work you put into your vids. Great explanations.👍
My hope is that one day you are better... 🙃
Thanks chris , i used to bypass fragmented packets in wireshark during analysis cause i couldnt understand it , you helped too much to change the idea of fragmentation complexity
Great vidio and explanation , thanks so much , really appaociated
excellent video. It shows that you have the concepts very well since you can describe them in an extremely simple way so that anyone can understand it... Thanks for the brilliant videos you have.
Thank you for the comment Marcelo!
this was one of the best explanation videos ever! thanks Chris
Good one Chris...kudos for taking the time to record this......Thx much.
Thanks for the comment. It helps!
You're a legend Chris for sharing this info. It makes us understand Wireshark so much easier.
Awesome! Glad it helps you RDP.
This is the best IP fragmentation explanation I have seen! Thank you for this excellent video which both my wife and I enjoyed :)
Thanks Josh!
They way you explain things is super clear. Thank you very much for sharing your knowledge you're amazing.
You're very welcome! Thank you for watching and commenting.
Nice video, always enjoy the content you put out.
At 2:35, I think you made a mistake here. The 1500 byte packet gets split into a 1400 byte packet and a 120 byte packet (assuming we are talking about L3 inclusive of headers here).
This is awesome, I'd been looking for this answer since last year after I failed in my Interview and I finally got the answer! Thank you very much. Its simple and well explained.
Awesome! Glad it helped you! 👏
One thing to bear in mind is fragmentation is deprecated, replaced with Path MTU Discovery (PMTUD), where routers are not allowed to fragment and must return a too big ICMP message on oversize packets. This is mandatory on IPv6 and often happens on IPv4 by setting the do not fragment flat.
This is awesome. The concept was explained in a very detailed manner and easy to understand. Hope we see more videos from you.
More to come!
Thanks for the Clearly Explained Video Chirs I am following along with all your videos from Pluralsight.
Great to hear! Awesome!
much appreciated, becoming addicted on learning ,great stuff
The best wireshark guy out there 😊
Absolutely liked it Chris !! Much needed fundamentals brush up for me
Awesome Mayur, thank you for the comment!
Great explanation, thanks for showing how looks ok wireshark too, much easier to understand,🙌
Chris is so good, I watch his videos on topics I already know, just to see how he approaches the topic. Nice shout out to network chuck, hopefully Chris doesn’t get all clickbaity like him 🥴
Great to meet you Daniel, and thank you for the feedback!
Hi Chris. Thanks from India!! Excellent video and very well explained.
Glad it was helpful! Thank you!
Great explanation Chris! Thanks
Chris, good job, It will be very interesting for a lot lite more advance users if you can make a video about how to detect network shaper from ISP side (our ISP limit us to what they claim or they do something else ... )
Great suggestion! I will see what I can do.
Great video. crystal clear explanation. Thank you so much!
Waiting for this explanation. Thanks a lot for this wonderful explanation video
You are most welcome!
Really helpful in my network testing.. Awesome
Great to hear!
Good videos Chris, its very easy to understand the concepts what you say. Love to see some SSL handshake videos and OCSP too.
Thanks Manjesh! I appreciate the feedback!
Awesome explaination.. I can imagine packet travelling in ma brain..
Tnx for such great share Mr. Chris🥸
My pleasure!
THank you so much for what you share with us !!
Glad it helps!
Great explanation Chris! But at 5:00, wouldn't you take off 18 bytes instead of 14 for the Ethernet header? Is the 4 byte FCS not counted?
GREAT catch! So Wireshark doesn't calculate the FCS as a part of the length. So that is why the frame is 1514 and the remaining part of the Ethernet frame is 14 bytes.
you're a great teacher!
Thank you! 😃
Hello Chris,
What I did not understand why did you mentioned that the MTU size is low then fragmentation happens?
Opinion - Doesn't the fragmentation occurs only when the MTU size is higher than 1500bytes? That means if the value is somewhere say 2000bytes then the fragmentation occurs.
Hey Ratnavo - fragmentation is only necessary when the MTU is lower than the packet size. If I have an MTU that is larger than 1500, then there is no need to break up a 1500 byte packet, which is the max in most environments. Hope that helps.
Hi sir ,i want to know if UDP support MTU and how can we make change so client and server can see each other Mtu size on UDP ,is there a registry or some change we can do on OS?
I created a display column for time-to-live and it seems that every value in the column is an integer power of 2: 1, 32, 128 and so on. So, I believe this capture file came from the server side of the network and I need to capture the client side or some other node to see a value in time-to-live that's not an integer power of 2.
God bless you Chris
Excellent Video Mr G!
Thank you kindly
Would love to see a video on path mtu discovery. Never truly understood that functionality...
Good idea! Great topic that is often misunderstood.
Marvelous explanation Sir...
Can we get a video on TCP headers???
✌️
There are quite a few on the channel already, anything specific you are looking for?
nice explanation chris, need video related to ECN
Oooh great idea. I like it.
Hi Chris, that is great stuff.
Came here because Im starting out on this journey from scratch after a career in Oil.
After doing a lab and not knowing anything about wireshark I found your site and clicked on the first video that came up.
I will go through your wireshark class then head back over to ine and complete the lab.
I like the way you explain this stuff, seems to resonate with me. Subbed and appreciated cheers mate.
Thanks Harold for the comment! Great to have you on the channel!
So i understand how Fragmentation works, and I understand what Segmentation does, but my question is: If it is common practice to use segmentation to ensure that the eventual frame being transmitted does not exceed the path MTU, then in what scenario would we need fragmentation?
Yes, that is why we can adjust the MSS on network devices. Let TCP do the chopping instead of the routers. Thanks for the comment!
Who sets the df bit?? Is it the application or the gateway..??
YES, more GREER content!!
More on the way!
Nice video, Chris Greer !!!!!
Can I force my packets to disable the "flags" so wireshark can't know? Like experiment idk if that even have implications. ik dumb question. 😂
@@xanaxity I suppose so. If you created or modified the packets that were captured.
I do that with a tool called WireEdit
Simply explained! Thanks
Glad it was helpful!
Super awesome explanation!!!!
Glad you think so!
Hi Chris
Great video and really practical content that network engineers must should know.
Can u make video tcpdump?
Great suggestion!
Thanks for the awesome video. Do you have any plan how can we split big pcap file to small? I have file with thousands of sessions but I need to filter only 2 sessions and send it to third party. Appreciate if you can guide.
Hey Tariq - sure use editcap on the command line. It gets installed with wireshark. If editcap is a part of your path, you can just use this syntax:
editcap -c 100 big.pcap small pcap
That will break up the big pcap into a bunch of small pcaps of 100 packets each. You can decide how many packets you want in each one.
@@ChrisGreer is there any way to filter on basis of source port or per session?
You've made me a fan!
Awesome, great to have you on the channel and thank you for the comment!
Good explanation.
great video sir.
This is gold!
The million dollar question: Is fragmentation bad? I mean if I need a 2mb pdf or a 10gb game it would still need to be sliced, right? Would you consider fragmentation as a network problem? Would fragmentation slow down an application?
Thanks.
Fragmentation isn't ideal. It takes more process for the router to break it up, then the receiver to reassemble it. There would probably have to be a significant amount of fragmentation to impact performance - but the real problem is the packets that cannot be fragmented. Those will need to be retransmitted. That is what will KILL performance.
Understood @@ChrisGreer thanks for the explanation. Not too long ago a customer had problems over a VPN, the RTT was always fine, I noticed some fragmentation but it was still pretty fast and it didn't explain the app hanging for 90secs. I asked the server team to review but I never got a response back and it still bothers me hahahaha
this man is really legend expert of packet sniffing
Thanks for the comment!
This is beautiful. Thanks.
Thanks for the comment!
thanks again chris the best
Chris thank you man
Thank you!
What if one of the fragments goes missing, how will the ACK mechanism going to deal with it? Thanks.
IP won’t be able to reassemble it to pass it up the stack to tcp. So tcp will treat it as a lost segment and it will have to retransmit the whole thing.
@@ChrisGreer Oh thanks!
Please more questions if you don't mind.
Do you know how one can modify the TCP/IP PDU to include some custom fields? I am experimenting with some SDN stuffs on mininet, hopefully you know about it?
@@ChrisGreer Also, you talk about re-assembly for fragmented IP packets. Is it the same with packet re-ordering. My current understanding of packet re-ordering is destination re-arranging the packets when they arrive out of sequence probably due to traversing different paths. Am I right on this? Kindly shed lights please. Thanks.
thank you so much
Great info! Thanks!
Glad it was helpful!
Great video!
Thanks!
Great explanation and content. Leaving this comment for the algorithm, but if you keep putting out this kind of high quality content, you won't need any help from me. Keep up the great work!
Thanks for the comment! I appreciate that you help me out - comments really do help the algorithm which in turn helps me grow the channel.
you could do "sudo !!" to add sudo to the last command
Good thinking - sometimes I forget!
@@ChrisGreer thank you for the video. A couple of things I will add when talking about fragmentations to my students :D
does encryption still work with fragmentation?
Fragmentation happens at a lower layer than encryption with TLS. So it won’t impact the encryption.
Great thx Chris
You bet!
Can we avoid fragmentation by adjusting mss value ?
Yes, that is one way to do it. I'd probably do that as a last step though.
@@ChrisGreer thanks for replying... One more question... Is MSS can be changed manually or it adjust automatically
I am waiting for your reply
@@villurisatya5132 Hello Villuri, Yes it can be changed manually. Within the OS, or even the network infrastructure along the path can adjust it.
@@ChrisGreer Thank you Chris... I saw your video on congestion avoidence which is actually slowing down the mss once it reach to the specific limit but it's not actually avoiding the congestion
I saw ECN is doing the congestion avoidence... Could you please do the video on ECN flag ... With wireshark captures
why ICMP length is 162bytes
thank bro!
nice thanks
why MTU is decimal not binary?
Can you clarify the question? Any number you see can be displayed either way. Not sure what you’re looking for.
Nice
Awesome
Thanks!
What happens in ipv6?
For IPv6, fragmentation is handled by the endpoints, not the network infrastructure. Check out datatracker.ietf.org/doc/html/rfc2460#page-18 for more info.
Why offset bit is always 8 bit?
Hello Nayan. Only 13 bits in the header are used to indicate the offset. If this represented a bit-level offset, we could only offset up to 1024 bytes, which is not even up to the max MTU in most environments. Counting bytes allows for a byte offset up to 8192, which is more in line with the purpose of needing a fragment in the first place. At this point we can't adjust the number of bits allocated without breaking the protocol. So... bytes it is!
@@ChrisGreer I really appreciate your quick reply and explanation.
I have one more question but not with Fragmentation. How browser is using existing session to do ssl handshake. I thought browser will reuse existing session ID from previous SSL handshake. Today I capture logs for one website, I access the site first then kept the browser idle for 5 min and then again refresh the same page. I have seen client hello going out but then I see this message "Change Cipher Spec, Application Data" from my system. There was no server hello msg and when I checked session ID then that was also different. not sure on what basis my browser did ssl handshake.
Also gift us Udemy course 😁
That was very interesting.