Ethereal-users: Re: [Ethereal-users] Need to capture fragmented packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Mon, 13 Feb 2006 14:42:49 -0800 (PST)
Jeff Shafer wrote:
> I've been working with Tethereal (command line version of Ethereal) to
> capture IP fragments, but I'm not seeing them.

Are you using a capture filter?

If so, does the capture filter refer to *any* fields in the TCP or UDP
header, such as the port number?

If so, that won't work.  Only the first fragment will have the TCP or UDP
header, and thus a filter such as "udp port 2049" will only match the
first fragment.

Read filters don't work, either - if you look for "nfs", only the *last*
fragment will be saved, as that's the only packet that Ethereal will
identify as an NFS packet.

> This seems odd since I can see them with Ethereal.

*Capture* them, or *see* them?

Ethereal will have the same problem with capture filters (as it's the same
code - capture filters are implemented in libpcap/WinPcap and the OS code
it uses, not in Ethereal or Tethereal themselves).