tcpdump mailing list archives
Re: 'tcpdump -s0' payload length limit?
From: Guy Harris <guy () alum mit edu>
Date: Wed, 25 Aug 2004 11:18:47 -0700
On Aug 25, 2004, at 11:09 AM, Guy Harris wrote:
Note, however, that the reassembly is *NOT* done at the low-layer capture level, so a capture filter of "port 12509" will only capture the first fragment of a fragmented datagram, and Ethereal and Tethereal will *NOT* be able to reassemble the packet. You would have to specify a filter that looks only at the IP headers, such as a filter that checks for UDP, or that checks for UDP traffic between two particular hosts, in order to capture *all* the fragments.
Or you could use a filter that captures traffic to/from port 12509 *or* that has a non-zero fragment offset, so it captures port 12509 traffic *and* all fragments other than first/only fragments. That might capture fragments that you don't need, but that's the best you can do. Constructing such a filter is left as an exercise to the reader.
Such a filter, used with tcpdump, would get the subsequent fragments; tcpdump wouldn't reassemble them, but it'd at least print them, which might be enough.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- 'tcpdump -s0' payload length limit? David Front (Aug 25)
- Re: 'tcpdump -s0' payload length limit? Guy Harris (Aug 25)
- Re: 'tcpdump -s0' payload length limit? David Front (Aug 25)
- Re: 'tcpdump -s0' payload length limit? Guy Harris (Aug 25)
- Re: 'tcpdump -s0' payload length limit? Guy Harris (Aug 25)
- Re: 'tcpdump -s0' payload length limit? David Front (Aug 25)
- Re: 'tcpdump -s0' payload length limit? David Front (Aug 25)
- Re: 'tcpdump -s0' payload length limit? Guy Harris (Aug 25)