For the purposes of demonstrating differences between TCP and UDP, I'm piping the contents of a file across a network connection, and recording the interaction with Wireshark. Everything looks normal in TCP, but in UDP things get a little weird.
I'm setting up listening on Machine A with
netcat -ul 5000
Then sending the file from Machine B with:
netcat -u <ip address> 5000 < file.txt
When I review the Wireshark log, I get half the message through UDP packets, and half apparently through IPv4 with no datagram at all (see screenshot below).
Is this just Wireshark being weird in the way it displays data, or is half the message really coming across without anything from UDP? And why?
Best Answer
You get one UDP packet, which has the size of the file you are sending. The UDP packet is then fragmented to several IP packets by the IP stack.
Wireshark shows both the original IPv4 fragmented packets and the defragmented UDP packet fragments.
This is the standard operating behavior on IP level if the upper level sends larger packets than the MTU of the L2 protocol allows.
In TCP protocol, the protocol finds out the largest non-fragmentable Path MTU between hosts, and uses that size to send correct sized packets, so that IP level fragmentation doesn't need to be done. This has benefits on the protocol operation.
Update:
IPv4 is the L3 (internet layer) protocol that handles the routing part of network operation. UDP is the L4 (transmission level) protocol that operates on top of IPv4.
And a concrete answer to your question:
This is the normal way of Wireshark showing fragmented data, showing both protocol layers. If you have HTTP requests, then you will see IPv4 + TCP + HTTP decoded requests in Wireshark, that is normal also.
Half of the message isn't coming from anywhere else, it is the same data on different levels of the protocol stack.