tcpdump mailing list archives
Re: PCAP - IP Fragments
From: "Hans Klute" <hklute () gmx de>
Date: Thu, 1 Jul 2004 11:24:25 +0200 (MEST)
In some email I received from Hans Klute, sie wrote: [ Charset ISO-8859-1 unsupported, converting... ]Hi! I just realized a bug/feature of pcap that I didn?t think of. I wrote a sniffer based on pcap. This sniffer can handle fragmented IP packets. Now I realized that if you set up a filter with a UDP or TCPport,you will not get the additional fragments, because in these packetsthereare no UDP/TCP headers present from which you can get a port number. SoIwant to ask if it is possible to modify pcap behaviour and where tostart.You can tell that a packet should be passed up if the ID in the IPheadermatches, the problem of course is if a fragment arrives before the first packet. I would prefer a modification in pcap, instead of the sniffer, regarding performance. Any suggestions?You could write a BPF expression to match a particular packet id#.
How should I do this? I don`t know a specific packet id. What I would have to do is to compare each packet id with the ones received earlier and I must store it to compare with ones received later. With that whole packets must be stored over a longer period. This is not possible!? How does tcpdump handle this? Hans -- "Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen! Jetzt aktivieren unter http://www.gmx.net/info - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: PCAP - IP Fragments Hans Klute (Jul 01)
- Re: PCAP - IP Fragments sthaug (Jul 01)
- Re: PCAP - IP Fragments Guy Harris (Jul 01)
- <Possible follow-ups>
- Re: PCAP - IP Fragments Roman Pfender (Aug 04)
- Re: PCAP - IP Fragments sthaug (Jul 01)