Wireshark · Wireshark-dev: Re: [Wireshark-dev] How to capture all IP fragments?

Wireshark-dev: Re: [Wireshark-dev] How to capture all IP fragments?

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Wed, 30 Apr 2008 12:31:21 -0700

Eloy Paris wrote:

I don't think that what you are trying to do can be accomplished with
capture or display filters since as you know only the first fragment
has layer 4 information that can be used by the filter, and since
filters don't keep state, then fragments other than the first can't be
identified by a filter that uses layer 4 information.

...and there's no guarantee that the first fragment will be the firstone transmitted, so even if the filter *did* keep state, there's noguarantee that it could work. (I seem to remember hearing that at leastsome versions of the Linux IPv4 stack transmit the fragments in reverseorder, perhaps so that the first received fragment gives the length ofthe reassembled datagram, and the receiver can allocate a buffer for thefragment at that point.)

References:
- Re: [Wireshark-dev] How to capture all IP fragments?
  - From: Guy Harris
- Re: [Wireshark-dev] How to capture all IP fragments?
  - From: Maynard, Chris
- Re: [Wireshark-dev] How to capture all IP fragments?
  - From: Eloy Paris

Prev by Date: Re: [Wireshark-dev] How to capture all IP fragments?
Next by Date: Re: [Wireshark-dev] Re : Re: SMTP : Copying Data into a file
Previous by thread: Re: [Wireshark-dev] How to capture all IP fragments?
Next by thread: [Wireshark-dev] Should we also require GLib 2.4 or later?
Index(es):
- Date
- Thread