On Mar 25, 2009, at 6:13 PM, siri m wrote:
> We have a legacy custom plugin (written on top of UDP), which
> handles multicast packets which may be fragmented, which works fine
> for normal scenarios. However, the plugin fails to decode for the
> cases where there can be duplicate fragments (for eg. one coming
> from the actual host and another one from a firewall). The fragments
> are exactly the same excepting that the ethernet source address is
> different.
>
> Can someone give me pointers as to how we could handle this special
> case when re-assembling the fragments? Is there a way to ignore
> packets coming from the firewall?
Check the link-layer source address? It's a structure of type
"address" (just "address", not "struct address") in pinfo->dl_src.
That structure has, as its fields:
type - if it's a MAC-layer address for Ethernet or other 802.x or
FDDI, it's AT_ETHER, but it's not *guaranteed* to be AT_ETHER unless
you've captured it on an Ethernet/other 802.x/FDDI interface;
len - the length of the address, in bytes;
data - a pointer to "len" bytes of data.
On the other hand, if the fragments are identical except for the
source MAC address, that presumably means that:
the Ethernet destination address;
the IP source and destination addresses;
the UDP source and destination ports;
are identical, meaning that whatever process receives the packets will
receive *both* packets, so whatever process receives the packets needs
to handle the case of duplicate fragments (by "receives" I'm not
referring to capturing traffic, I'm referring to receiving and
processing the packets as regular input, i.e. the process to which the
packets are *intended* to be sent). How does *it* handle that case?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
