Re: PCAP - IP Fragments

[Roman Pfender <rmp () minet uni-jena de>]

On Jul 1, 2004, at 12:08, guy () alum mit edu wrote:

> > tcpdump doesn't have any specific facility to handle fragmented
> > packets,
> > as far as I know (it cannot reassemble the fragments).
>
> That capability could be added (Ethereal supports it), although, if
> provided, it should be an option (as reassembly would consume extra
> memory - it's an option in Ethereal).

Hi folks,

that's exactly what I am looking for. In my application there is a lot of
UDP traffic on several hundred ports. In order not to loose any packets I
tended to use one large buffer instead of many small ones. So pcap might
be a good solution. And in my test application using pcap the package loss
was zero, even during occasional heavy I/O-operations. So pcap is working
great.
The only negative side effect is that pcap returns just raw packages. But
my application needs UDP packages.

Is there a way to achieve the reassembling of the IP and UDP package
fragments in an efficient way (eg by the kernel or within pcap)?
Unfortunately I am not a network protocol specialist :-(

As there are only UDP packages arriving at my ports it does no harm to
omit the filter program for UDP (in other words: it's ok to filter only
for the port numbers). If necessary it is even possible to omit the port
number filtering to get all packages of the interface.

Thanks,
Roman

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.