On Wed, Apr 30, 2008 at 10:29:54AM -0400, Maynard, Chris wrote: > I must be losing my mind. I tried this several times yesterday and I > could have sworn I captured all fragments with Wireshark but not with > tcpdump using the same exact capture filter. Of course today I can't > recreate it, so obviously I was doing something wrong yesterday or just > wildly hallucinating. > > OK, well then let me modify the question slightly. Is there a way to > capture the IP fragments, but only those that are part of the "UDP > stream" I'm interested in? In other words, if I send a 3K chunk of data > over UDP to port 50000, it will get broken up into 3 IP packets. I want > to capture all 3 packets, but I don't want to capture any other IP > fragments. I don't think it's possible via a capture filter but I > figured I would ask. And so assuming you had other irrelevant IP > fragments in your capture file, is there a way to easily filter them out > using a display filter? Even that seems difficult to me because I guess > you could use the IP's ID field, but that would only work for a single > instance, and of course I'm looking for the more general case.
I don't think that what you are trying to do can be accomplished with capture or display filters since as you know only the first fragment has layer 4 information that can be used by the filter, and since filters don't keep state, then fragments other than the first can't be identified by a filter that uses layer 4 information. I don't know how one would go about leveraging libwireshark's re-assembly features, though. Cheers, Eloy Paris.- _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
