tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Endianness issue with selecting non-fragmented packets

From: Richard Clayton <richard () highwayman com>
Date: Fri, 27 Jul 2018 19:21:12 +0100

I am running tcpdump under FreeBSD 11 on an AMD64.

I have a file containing UDP packets and IP fragments.

This command (the filter corresponds to the information on the man
page):

    tcpdump -r file.pcap "(ip[6:2] & 0x1FFF = 0)"

unexpectedly prints all of the packets :-(

The command:

    tcpdump -r file.pcap "(ip[6:2] & 0xFF1F = 0)"

skips all the fragments and only prints complete packets.


This is clearly an endianness issue ... but shouldn't tcpdump/libpcap be
hiding that from me ?  or is the man page incorrect ??

# sysctl hw.model hw.machine hw.ncpu
hw.model: Intel(R) Celeron(R) CPU G1620 @ 2.70GHz
hw.machine: amd64
hw.ncpu: 2

# uname -v
FreeBSD 11.2-STABLE #9: etc

# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.9.0
OpenSSL 1.0.2o-freebsd  27 Mar 2018

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: