I must be losing my mind. I tried this several times yesterday and I could have sworn I captured all fragments with Wireshark but not with tcpdump using the same exact capture filter. Of course today I can't recreate it, so obviously I was doing something wrong yesterday or just wildly hallucinating.
OK, well then let me modify the question slightly. Is there a way to capture the IP fragments, but only those that are part of the "UDP stream" I'm interested in? In other words, if I send a 3K chunk of data over UDP to port 50000, it will get broken up into 3 IP packets. I want to capture all 3 packets, but I don't want to capture any other IP fragments. I don't think it's possible via a capture filter but I figured I would ask. And so assuming you had other irrelevant IP fragments in your capture file, is there a way to easily filter them out using a display filter? Even that seems difficult to me because I guess you could use the IP's ID field, but that would only work for a single instance, and of course I'm looking for the more general case. - Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Harris Sent: Tuesday, April 29, 2008 5:00 PM To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] How to capture all IP fragments? On Apr 29, 2008, at 9:48 AM, Maynard, Chris wrote: > In Wireshark, if I want to capture UDP traffic on a specific port (say > port 50000 for purposes of this discussion), I can easily set a > capture > filter as "udp port 50000", and I get all the traffic I'm interested > in, > including all IP fragments. Only if you don't have any fragmented IP datagrams. If you get any fragments other than the first fragment with that capture filter, that would be a miracle. > So, how does Wireshark handle this? I guess there is some magic > filter > "behind the scenes" similar to what I have shown above for capturing > IP > fragments that takes care of the IP fragment capturing as well? Nope. It handles it by not handling it; as indicated, perhaps some miracle happened, but Wireshark just passes the capture filter on to pcap_compile(). _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
