PCAP - IP Fragments

["Hans Klute" <hklute () gmx de>]

Hi!

I just realized a bug/feature of pcap that I didn´t think of.
I wrote a sniffer based on pcap. This sniffer can handle fragmented IP
packets. Now I realized that if you set up a filter with a UDP or TCP port,
you will not get the additional fragments, because in these packets there
are no UDP/TCP headers present from which you can get a port number. So I
want to ask if it is possible to modify pcap behaviour and where to start. 
You can tell that a packet should be passed up if the ID in the IP header
matches, the problem of course is if a fragment arrives before the first
packet. I would prefer a modification in pcap, instead of the sniffer,
regarding performance.

Any suggestions?

hklute

-- 
"Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen!
Jetzt aktivieren unter http://www.gmx.net/info

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.