Re: PCAP - IP Fragments

[sthaug () nethelp no]

> > You could write a BPF expression to match a particular packet id#.
>
> How should I do this? I don`t know a specific packet id. What I would have
> to do is to compare each packet id with the ones received earlier and I must
> store it to compare with ones received later. With that whole packets must
> be stored over a longer period. 
> This is not possible!? How does tcpdump handle this?

There is no silver bullet here. If you receive fragments out of order
and your application wants to handle these, your application or something
else *must* store the fragments:

- At least until the first packet (with the port numbers) arrive, if you
only want to correlate the fragment with the first packet.

- Until all fragments have arrived, if you want to reassemble the packet.

tcpdump doesn't have any specific facility to handle fragmented packets,
as far as I know (it cannot reassemble the fragments).

Steinar Haug, Nethelp consulting, sthaug () nethelp no
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.