tcpdump mailing list archives
Re: PCAP - IP Fragments
From: Guy Harris <guy () alum mit edu>
Date: Thu, 1 Jul 2004 12:08:30 -0700
On Jul 1, 2004, at 2:50 AM, sthaug () nethelp no wrote:
tcpdump doesn't have any specific facility to handle fragmented packets,as far as I know (it cannot reassemble the fragments).
That capability could be added (Ethereal supports it), although, if provided, it should be an option (as reassembly would consume extra memory - it's an option in Ethereal).
However, that wouldn't help in the packet filtering; neither tcpdump nor Ethereal nor any other program using libpcap/WinPcap to capture traffic can arrange, with a capture filter, to capture all fragments of traffic between two particular transport-layer endpoints, because BPF isn't stateful and can't remember that, if it sees the first fragment of a fragmented IP datagram, it should capture all other fragments between those two IP addresses with the same IP ID.
I.e., tcpdump *doesn't* handle that (and neither does Ethereal). - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Re: PCAP - IP Fragments Hans Klute (Jul 01)
- Re: PCAP - IP Fragments sthaug (Jul 01)
- Re: PCAP - IP Fragments Guy Harris (Jul 01)
- <Possible follow-ups>
- Re: PCAP - IP Fragments Roman Pfender (Aug 04)
- Re: PCAP - IP Fragments sthaug (Jul 01)