Eloy Paris wrote: > I don't think that what you are trying to do can be accomplished with > capture or display filters since as you know only the first fragment > has layer 4 information that can be used by the filter, and since > filters don't keep state, then fragments other than the first can't be > identified by a filter that uses layer 4 information.
...and there's no guarantee that the first fragment will be the first one transmitted, so even if the filter *did* keep state, there's no guarantee that it could work. (I seem to remember hearing that at least some versions of the Linux IPv4 stack transmit the fragments in reverse order, perhaps so that the first received fragment gives the length of the reassembled datagram, and the receiver can allocate a buffer for the fragment at that point.) _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
