Hi, Please find attached a patch which adds to libpcap the capability to reassemble fragmented IPv4 and IPv6 packets before they are passed to the user. I see two major benefits in integrating this functionality directly into libpcap:
1. Ease of adoption. Only a single function call must be added to existing libpcap applications in order to enable transparent reassembly. 2. Filter expressions. The semantics of pcap's filter is extended such that the filter is applied to the complete, reassembled packets. There is no need for the user to care about using filter expressions that explicitly match fragments. The code is work in progress and still has some TODOs, but before doing the rest of the work, I wanted to check with the list to see whether the patch will have any chance of getting integrated into libpcap. Remaining open issues and some other things to note: - Reassembly is enabled by calling the function pcap_enable_ipreasm(). It must be called before any filters are compiled for the pcap instance in question, and before the linktype is examined. - If reassembly is enabled, the linktype of the pcap instance will always be DLT_RAW. This is by intention. Otherwise, libpcap would have to know how to create link-layer and network-layer headers for the packets it reassembles. I believe this would be out of scope. - In an attempt to cleanly integrate into the architecture of libpcap, the reassembly code creates a small BPF helper program that will assist in finding the offset in the captured packet where the IP headers starts. - Currently, no kernel level filtering is performed if reassembly is enabled. Instead, all packets are filtered in userspace after the reassembly process. There are more clever ways to do this. - Instead of calling the user callback directly, the different capture backends now call the function pcap_invoke_callback(). This function takes care of performing the reassembly if requested, then invokes the user callback. - Currently, reassembly is only implemented if reading from a savefile, or doing a live capture on Linux (but fixing this will be quite easy). - The patch includes the "ipreasm" library which can also be used independently of libpcap. I'm planning to release this as a standalone library in the future. Or, maybe, it can just be maintained as part of libpcap. Looking forward to your feedback. Regards, Jan -- Jan Andres <[EMAIL PROTECTED]>
Description: GNU Zip compressed data
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.