Re: 'tcpdump -s0' payload length limit?

["David Front" <david.front () cern ch>]

Hello Guy Harris

Thanks for the detailed answer!

    David Front
    CERN IT

----- Original Message ----- 
From: "Guy Harris" <guy () alum mit edu>
To: <tcpdump-workers () lists tcpdump org>
Sent: Wednesday, August 25, 2004 8:18 PM
Subject: Re: [tcpdump-workers] 'tcpdump -s0' payload length limit?


> On Aug 25, 2004, at 11:09 AM, Guy Harris wrote:
>
> > Note, however, that the reassembly is *NOT* done at the low-layer 
> > capture level, so a capture filter of "port 12509" will only capture 
> > the first fragment of a fragmented datagram, and Ethereal and 
> > Tethereal will *NOT* be able to reassemble the packet.  You would have 
> > to specify a filter that looks only at the IP headers, such as a 
> > filter that checks for UDP, or that checks for UDP traffic between two 
> > particular hosts, in order to capture *all* the fragments.
>
> Or you could use a filter that captures traffic to/from port 12509 *or* 
> that has a non-zero fragment offset, so it captures port 12509 traffic 
> *and* all fragments other than first/only fragments.  That might 
> capture fragments that you don't need, but that's the best you can do.  
> Constructing such a filter is left as an exercise to the reader.
>
> Such a filter, used with tcpdump, would get the subsequent fragments; 
> tcpdump wouldn't reassemble them, but it'd at least print them, which 
> might be enough.
>
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.