In Wireshark, if I want to capture UDP traffic on a specific port (say port 50000 for purposes of this discussion), I can easily set a capture filter as "udp port 50000", and I get all the traffic I'm interested in, including all IP fragments.
However, I have written my own pcap-based capturing tool, and if I use the same capture filter, I don't get all the IP fragments (just the 1st one). I have to use "udp port 50000 or (ip[6:2] & 0x2000 = 0x2000 or ip[6:2] & 0x1fff !=0x0000)" in order to get all the fragments, but with that filter, I would also get fragments for all other ports, which is not what I want. I tried those exact same filters with tcpdump, and I got the exact same results. So, how does Wireshark handle this? I guess there is some magic filter "behind the scenes" similar to what I have shown above for capturing IP fragments that takes care of the IP fragment capturing as well? I'm not really familiar with how the capture filters work on Wireshark. Sorry if this post is better suited to the tcpdump (or possibly even the winpcap) mailing list(s), but Wireshark seems to have solved this quirk quite well, so I thought I would try here first. - Chris BTW: I'm using libpcap 0.9.8 with my own capture tool, but both Wireshark and tcpdump are using libpcap 0.8.3. _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
