Ethereal-users: Re: [Ethereal-users] Fragmented packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Stef <stefmit@xxxxxxxxx>
Date: Wed, 26 Jan 2005 18:55:41 -0600
1. Logic issue: why &&-ing, and only those options? This way you only
get the first fragment in every train (following fragments have either
both values for offset != 0 and MF set, or - for the last one - just
the offset != 0)
2. Logistics: when in doubt - TEST your filters. There are some that
may not fail the syntax test, but which are not logically correct: in
your case - create your own fragments, preferably from the machines
you are interested in "production", and play with all options, with
something like hping(2) - http://www.hping.org/, and see what you get
out of your filters.

HTH,
Stef

On Wed, 26 Jan 2005 11:06:37 -0600, Marty Browne - IT
<mbrowne@xxxxxxxxxxxxxx> wrote:
> Luis,
> 
> Thanks for the quick reply. I filtered for ip.flags.mf==1 &&
> ip.frag_offset==0. Nothing showed up. Does that mean for the packets
> that I captured, none of them were fragmented?
> 
> 
> Marty Browne
> Allergy & Asthma Associates
> 281-874-0447
> www.texallergy.com