Ethereal-users: Re: [Ethereal-users] Saving reassembled IP packets?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Tony Frank <tfrank@xxxxxxxxxxxxxxxx>
Date: Wed, 14 Apr 2004 00:12:10 +1000
Hi there,

On Tue, Apr 13, 2004 at 03:27:29PM +0200, Biot Olivier wrote:
> 
> [Ccing Ethereal-Dev as a FYI (ToDo list item :)]

My comment at end has a more specific suggestion. :)

> |Using Ethereal 0.10.3 at the moment.
> |
> |I have some traces that involve UDP packets and IP fragmentation.
> |I turn on the feature:
> |Preferences->Protocols->IP->Reassemble fragmented IP datagrams
> |
> |When I view my trace it lets me use display filter to match on
> |fields etc in the reassembled packet.
> |I now ideally want to be able to combine the two packets into
> |one packet and save to a new trace.
> |
> |Unfortunately if I mark the 'reassembled' packet (easy to do
> |with a display filter and then 'Mark all packets')
> |When I do a 'save as' and include only marked packets, it 
> |misses the first IP fragment and the new trace file thus has
> |packets that only includes the last fragment which then
> |has no UDP/TCP header which makes them almost useless to me.
> 
> This is the behavior of Ethereal today. Ethereal will accumulate packets (in
> fact, parts of packets) until the "message" has been reassembled. Then only,
> the reassembled body will be offered to a higher-level dissector if
> applicable. This means that if packets 2 and 5 contain the 2 fragments of a
> fragmented IP datagram which conveys say UDP traffic, Ethereal will only
> flag packet 5 as UDP.
> 
> |Is there a way to easily mark all parts of a fragmented 
> |datagram for future export/printing/saving etc?
> 
> Not today. It is not easy to implement either (we need to keep information
> on the protocol hierarchy, as for an UDP datagram spanning 3 fragmented IP
> datagrams running on top of Ethernet we do want all 3 packets to match "udp"
> but only the dedicated packet(s) to match an IP or Ethernet (or even
> lower-level) protocol display filter.

Thanks for all those other ideas - I'll have to dig out my perl notes
and come up with some script to actually implement some of those ideas.

I actually came up with something surprisingly simple that did the trick for me:

1. Display with preference protocol IP reassemble off
2. Apply display filter to match UDP (matches first frag with UDP header)
3. Mark all packets
4. Display with preference protocol IP reassemble on
5. Apply display filter to match UDP (matches reassembled, or last frag)
6. Mark all packets
7. Save as, marked only, captured

This works because in each of my cases there are only two fragments.
One with 1480 bytes and one with 40 bytes (due to tunneling headers)
First pass gets the first frag, second pass gets the last frag.
Probably not useful for the generic case where there might be multiple 
fragments, or fragmenting occurs in the actual UDP/TCP header etc.

Currently with reassembly on, the displayed packets has the
ip.fragments field which lists each frame that makes up the
displayed frame.
I guess if we do a mark on such a packet it would be ideal if
ethereal can notice this field and subsequently mark each of the
listed frames.

I will start a new message for my next question.

Regards,

Tony