Re: Capture IP Fragments

[Abhijit Bare <abhibare () gmail com>]

Thank you for the reply. I captured a 500GB traffic over 3 days using
tcpdump and there was concern that fragments were not captured. It
definitely looks like only the first fragments were captured and remaining
fragments were not. But that was not because of tcpdump. The GigaVUE is
dropping those packets. So the server is not getting those packets at all.

- Abhijit

On Wed, Oct 14, 2009 at 12:01 AM, Guy Harris <guy () alum mit edu> wrote:

> On Oct 13, 2009, at 9:05 PM, Abhijit Bare wrote:
>
>  Does tcpdump capture IP fragments by default - when I do not specify any
> > filter at all?
>
> Yes, as long as, for example, the network adapter doing the capturing isn't
> doing its own IP reassembly, tcpdump (and any other application using
> libpcap/WinPcap, e.g. Wireshark/TShark) will, if no filter is specified,
> capture all arriving packets not dropped by the capture mechanism due to the
> application not processing packets fast enough.  This includes IP fragments.
>  (If a filter *is* specified, it might not capture IP fragments - a fragment
> such as "port N", for some value of N, won't capture IP fragments other than
> the first fragment, as the TCP or UDP header, with the port number, will
> only be in the first fragment.)
>
> If that's not happening (as I suspect it is, otherwise you probably
> wouldn't be asking this question), there's some other problem.  Are you not
> seeing IP fragments?
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.