tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capture IP Fragments

From: Guy Harris <guy () alum mit edu>
Date: Tue, 13 Oct 2009 23:01:29 -0700

On Oct 13, 2009, at 9:05 PM, Abhijit Bare wrote:
Does tcpdump capture IP fragments by default - when I do not specify any 
filter at all?
Yes, as long as, for example, the network adapter doing the capturing isn't doing its own IP reassembly, tcpdump (and any other application using libpcap/WinPcap, e.g. Wireshark/TShark) will, if no filter is specified, capture all arriving packets not dropped by the capture mechanism due to the application not processing packets fast enough. This includes IP fragments. (If a filter *is* specified, it might not capture IP fragments - a fragment such as "port N", for some value of N, won't capture IP fragments other than the first fragment, as the TCP or UDP header, with the port number, will only be in the first fragment.)
If that's not happening (as I suspect it is, otherwise you probably wouldn't be asking this question), there's some other problem. Are you not seeing IP fragments? 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: