On Apr 29, 2008, at 9:48 AM, Maynard, Chris wrote:
In Wireshark, if I want to capture UDP traffic on a specific port (say
port 50000 for purposes of this discussion), I can easily set a
capture
filter as "udp port 50000", and I get all the traffic I'm interested
in,
including all IP fragments.
Only if you don't have any fragmented IP datagrams. If you get any
fragments other than the first fragment with that capture filter, that
would be a miracle.
So, how does Wireshark handle this? I guess there is some magic
filter
"behind the scenes" similar to what I have shown above for capturing
IP
fragments that takes care of the IP fragment capturing as well?
Nope. It handles it by not handling it; as indicated, perhaps some
miracle happened, but Wireshark just passes the capture filter on to
pcap_compile().