[Stef <stefmit@xxxxxxxxx>]

Sorry if this a repeat - Gmail has started failing on me more often
than ever before (it re-entered the alpha stage, probably, from the
beta that it is ;( ).


---------- Forwarded message ----------

1. Logic issue: why &&-ing, and only those options? This way you only
get the first fragment in every train (following fragments have either
both values for offset != 0 and MF set, or - for the last one - just
the offset != 0)
2. Logistics: when in doubt - TEST your filters. There are some that
may not fail the syntax test, but which are not logically correct: in
your case - create your own fragments, preferably from the machines
you are interested in "production", and play with all options, with
something like hping(2) - http://www.hping.org/, and see what you get
out of your filters.

HTH,
Stef

On Wed, 26 Jan 2005 11:06:37 -0600, Marty Browne - IT
<mbrowne@xxxxxxxxxxxxxx> wrote:
> Luis,
>
> Thanks for the quick reply. I filtered for ip.flags.mf==1 &&
> ip.frag_offset==0. Nothing showed up. Does that mean for the packets
> that I captured, none of them were fragmented?
>
>
> Marty Browne
> Allergy & Asthma Associates
> 281-874-0447
> www.texallergy.com