tcpdump mailing list archives
Endianness issue with selecting non-fragmented packets
From: Richard Clayton <richard () highwayman com>
Date: Fri, 27 Jul 2018 19:21:12 +0100
I am running tcpdump under FreeBSD 11 on an AMD64. I have a file containing UDP packets and IP fragments. This command (the filter corresponds to the information on the man page): tcpdump -r file.pcap "(ip[6:2] & 0x1FFF = 0)" unexpectedly prints all of the packets :-( The command: tcpdump -r file.pcap "(ip[6:2] & 0xFF1F = 0)" skips all the fragments and only prints complete packets. This is clearly an endianness issue ... but shouldn't tcpdump/libpcap be hiding that from me ? or is the man page incorrect ?? # sysctl hw.model hw.machine hw.ncpu hw.model: Intel(R) Celeron(R) CPU G1620 @ 2.70GHz hw.machine: amd64 hw.ncpu: 2 # uname -v FreeBSD 11.2-STABLE #9: etc # tcpdump --version tcpdump version 4.9.2 libpcap version 1.9.0 OpenSSL 1.0.2o-freebsd 27 Mar 2018 -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Endianness issue with selecting non-fragmented packets Richard Clayton (Jul 27)
- Re: Endianness issue with selecting non-fragmented packets Guy Harris (Jul 27)