Re: PCAP - IP Fragments

["Hans Klute" <hklute () gmx de>]

> In some email I received from Hans Klute, sie wrote:
> [ Charset ISO-8859-1 unsupported, converting... ]
> > Hi!
> >
> > I just realized a bug/feature of pcap that I didn?t think of.
> > I wrote a sniffer based on pcap. This sniffer can handle fragmented IP
> > packets. Now I realized that if you set up a filter with a UDP or TCP
> port,
> > you will not get the additional fragments, because in these packets
> there
> > are no UDP/TCP headers present from which you can get a port number. So
> I
> > want to ask if it is possible to modify pcap behaviour and where to
> start. 
> > You can tell that a packet should be passed up if the ID in the IP
> header
> > matches, the problem of course is if a fragment arrives before the first
> > packet. I would prefer a modification in pcap, instead of the sniffer,
> > regarding performance.
> >
> > Any suggestions?
>
> You could write a BPF expression to match a particular packet id#.

How should I do this? I don`t know a specific packet id. What I would have
to do is to compare each packet id with the ones received earlier and I must
store it to compare with ones received later. With that whole packets must
be stored over a longer period. 
This is not possible!? How does tcpdump handle this?

Hans


-- 
"Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen!
Jetzt aktivieren unter http://www.gmx.net/info

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.