tcpdump mailing list archives
Re: Wenfei: how does tcpdump filter packets?
From: Guy Harris <guy () alum mit edu>
Date: Tue, 29 Jan 2013 15:24:10 -0800
On Jan 29, 2013, at 2:24 PM, Wenfei Wu <wenfeiwu () cs wisc edu> wrote:
Thanks, this is really helpful. On Tue, Jan 29, 2013 at 3:21 PM, Guy Harris <guy () alum mit edu> wrote: er, so you can't check the TCP ports in tho
I'm not sure whether you intended to quote that part of my response, but, if you did, because handling fragmented IP datagrams is an issue: If you want to filter based on TCP-level or UDP-level information, *and* you want to handle IP fragments, whatever software does the capturing and filtering will have to, when it sees a fragment that's either not the first fragment or that is the first fragment but not the last fragment, see whether other fragments of the same datagram have been seen. If so, then associate the new fragment with the other fragments; if all fragments have been seen, check whether the packet matches the filter (if all the information being checked is in the first fragment, you won't need to reassemble the packet to do that) and then treat all the fragments as having passed the filter. That doesn't handle, for example, a case where you have a filter such as ether src host XX:XX:XX:XX:XX:XX and tcp port 80 and some, but not all, of the fragments are from MAC address XX:XX:XX:XX:XX:XX - I'm not sure what the right thing to do in that case would be. It also makes in-order delivery of link-layer packets complicated, as some packets have to wait - if there are any unfinished fragmented packets, *all* packets would have to be queued up behind them and released when there are no remaining fragments with time stamps before those packets. _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Wenfei: how does tcpdump filter packets? Wenfei Wu (Jan 29)
- Re: Wenfei: how does tcpdump filter packets? Guy Harris (Jan 29)
- Re: Wenfei: how does tcpdump filter packets? Wenfei Wu (Jan 29)
- Re: Wenfei: how does tcpdump filter packets? Guy Harris (Jan 29)
- Re: Wenfei: how does tcpdump filter packets? Wenfei Wu (Jan 29)
- Re: Wenfei: how does tcpdump filter packets? Guy Harris (Jan 29)