["Ronnie Sahlberg" <rsahlber@xxxxxxxxxxxxxx>]

Hi list,

I think you do not understand exactly what I mean.
The defragmentation is performed within dissect_ip() and is completely
unaware of from where the ip fragments come, be it from a capture file of
any format or from
listening on an interface.
Defragmentation is completed and is working very well, this was the easy
part.
The defragmentation as of now can handle any ordering of packets,
overlapping packets,
duplicates etc etc.
What I want is a way to inject the defragmented packets from dissect_ip()
into the input stream of packets from
ethereal.

Well, I ll give a demonstration,
attached are packet-ip.c and a capture file.
the capture file contains two fragmented icmp packets.
DO NOT COMMIT THIS PACKET-IP.C, it is still filled with debugging output,
leaks memory and is incomplete.
Though, try it and start ethereal from a command line with ./ethereal -n -r
A995.cap
When ethereal has successfulyl defragmented a packet, it will be printed in
hex to stdout,
two such defragmented packets will be printed.

Next step is to get this defragmented packet and feed into ethereal as if it
were in the actual file or received from the
interface.
I want ethereal to call dissect_ip() on this packet and then dissect_ip()
will call any higher-level protocol dissectors as might be
called normally for non-fragmented packets.

I do want these packets only to exist inside ethereal at runtime, so when
saving the capture, these "magic" packets will
not be put in the save-capture file.

Right now I think the best approiach to insert these packets into ethereal
at runtime would be to create a new type
of wiretap handler, a magic one which would read the apcket, and some scaled
down encapsulation form a memory buffer instead of from
a capture file or from an interface (same thing?).

I think a workable approach would be to create a new type of wiretap thingy
and then when a normal packet has been read and disected from
the normal file/interface, then it would automatically inject these magic
packets into the input stream, with a faked wcap structure etc etc.


The thing is, I want the UDP, RPC and similar upper level dissectors only to
be cal;led for completely unfragmented packets.
This would make UDP and similar dissectors completely unaware of the fact
that IP might be fragmented and would make
some things much easier regarding large packets. There are things I would
like to do with NFS which would be gratly simplified if UDP/RPC never see
any IP fragments, such as reconstructing files sent over NFS protocol which
would be greatly simplified if IP fragmentation
does not exist any more.
A lot of other "interesting" things (such as following TCP sessions) would
also be much simpler if ip-fragmentation does not exist
as far as the dissectors for those protocols are concerned.

The behaviour is controlled by the variable ip_defragment, set to 0 , old
behaviour is kept.
As in the source file, set to non-0, new defrasgmentation feature is
invoked.
No other files than packet-ip.c needed to be changed to defragment ip
packets.
Though other files will need to be changed in order to reinject these
packets within an ongoing ethereal read from the real capture-file or
interface.

Try it, you will see what I mean.

Attachment: A995.cap
Description: Binary data

Attachment: packet-ip.c
Description: Binary data