On Apr 29, 2008, at 9:48 AM, Maynard, Chris wrote: > In Wireshark, if I want to capture UDP traffic on a specific port (say > port 50000 for purposes of this discussion), I can easily set a > capture > filter as "udp port 50000", and I get all the traffic I'm interested > in, > including all IP fragments.
Only if you don't have any fragmented IP datagrams. If you get any fragments other than the first fragment with that capture filter, that would be a miracle. > So, how does Wireshark handle this? I guess there is some magic > filter > "behind the scenes" similar to what I have shown above for capturing > IP > fragments that takes care of the IP fragment capturing as well? Nope. It handles it by not handling it; as indicated, perhaps some miracle happened, but Wireshark just passes the capture filter on to pcap_compile(). _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
