Re: 'tcpdump -s0' payload length limit?

[Guy Harris <guy () alum mit edu>]

On Aug 25, 2004, at 11:09 AM, Guy Harris wrote:

> Note, however, that the reassembly is *NOT* done at the low-layer 
> capture level, so a capture filter of "port 12509" will only capture 
> the first fragment of a fragmented datagram, and Ethereal and 
> Tethereal will *NOT* be able to reassemble the packet.  You would have 
> to specify a filter that looks only at the IP headers, such as a 
> filter that checks for UDP, or that checks for UDP traffic between two 
> particular hosts, in order to capture *all* the fragments.

Or you could use a filter that captures traffic to/from port 12509 *or* 
that has a non-zero fragment offset, so it captures port 12509 traffic 
*and* all fragments other than first/only fragments.  That might 
capture fragments that you don't need, but that's the best you can do.  
Constructing such a filter is left as an exercise to the reader.

Such a filter, used with tcpdump, would get the subsequent fragments; 
tcpdump wouldn't reassemble them, but it'd at least print them, which 
might be enough.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.