On Tue, Nov 23, 2010, Guy Harris <[email protected]> said: > > On Nov 23, 2010, at 12:51 AM, Ankith Agarwal wrote: > >> I am trying to filter all the SIP packets using pcap filter on ports of >> 5060 and 5061. But, some of the SIP packets are fragmented in the IP layer >> because of their size (greater than MTU). I wanted to know whether the >> pcap_loop api gives these packets by combinig it, or it just gives the >> last fragment of the packet. > > The pcap_loop API gives each *link-layer* packet, as received by the network > adapter, that matches the filter. The same is true of all other > packet-reading APIs (pcap_dispatch(), pcap_next(), and pcap_next_ex()), as > they all run atop the same underlying packet capture mechanism. > > A fragmented IP datagram has the TCP or UDP header in the first fragment, so > if your filter is filtering on a TCP or UDP port number, only the *FIRST* > fragment will be delivered. If you want to capture *ALL* fragments, you will > either need to capture with a filter that doesn't specify a TCP or UDP port > number (or anything else in the TCP or UDP header), or that specifies "either > this port number *OR* not the first fragment", and discard fragments that > aren't part of an interesting reassembled fragment yourself. > > None of the libpcap/WinPcap APIs will reassemble packets for you; you will > have to do the reassembly yourself (and discard fragments that aren't part of > a packet sent to or from the ports you specify). > > (This is presumably SIP-over-UDP; if it's SIP-over-TCP or SIP-over-SCTP, the > packets are probably "fragmented" at the TCP or SCTP layer, not the IP layer.) > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >
-- Thank you for your valuable suggestions. I have tried out this filter expression---"ip[6]&0x02 == 1 and (sip related port numbers)". But, if a fragmented SIP packet is encountered, will this filter return the first fragments as sip or the last fragment? Regards Ankith -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
