On Wed, Apr 30, 2008 at 10:29:54AM -0400, Maynard, Chris wrote:
> I must be losing my mind. I tried this several times yesterday and I
> could have sworn I captured all fragments with Wireshark but not with
> tcpdump using the same exact capture filter. Of course today I can't
> recreate it, so obviously I was doing something wrong yesterday or just
> wildly hallucinating.
>
> OK, well then let me modify the question slightly. Is there a way to
> capture the IP fragments, but only those that are part of the "UDP
> stream" I'm interested in? In other words, if I send a 3K chunk of data
> over UDP to port 50000, it will get broken up into 3 IP packets. I want
> to capture all 3 packets, but I don't want to capture any other IP
> fragments. I don't think it's possible via a capture filter but I
> figured I would ask. And so assuming you had other irrelevant IP
> fragments in your capture file, is there a way to easily filter them out
> using a display filter? Even that seems difficult to me because I guess
> you could use the IP's ID field, but that would only work for a single
> instance, and of course I'm looking for the more general case.
I don't think that what you are trying to do can be accomplished with
capture or display filters since as you know only the first fragment
has layer 4 information that can be used by the filter, and since
filters don't keep state, then fragments other than the first can't be
identified by a filter that uses layer 4 information.
I don't know how one would go about leveraging libwireshark's
re-assembly features, though.
Cheers,
Eloy Paris.-