Practical Packet Analysis Notes 2

This 2nd post continues my notes from reading Practical Packet Analysis.

Unreachable port / Unreachable host

A loss of network connectivity can often be seen in Wireshark. For example, a Windows host will attempt 5 re-transmissions. While Wireshark does label these TCP Retransmission, you can also identify this process as each packet has the same Sequence value.

Often the the reply to an echo will source from a switch or router, and often you’ll observe an ARP request for the destination host to reply with a MAC address. This reply can be ICMP type 0 or 3. Code 1 in the ICMP packet = host unreachable. Code2 = port unreachable.


When layer 4 hands segments to layer 3 that are greater than 1500 bytes, the limit that can be carried in a frame across layer 2, the IP packets will be fragmented to fit.

Looking at the IP layer details of such a packet you can see Flags set to 0x01, meaning more fragments follow. The offset of the first packet in this data stream will be 0. The following fragment will show an offset ~1480. Fragmented packets will follow until the last arrives with a flag of 0x00 and that means no more fragments will follow.