tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: fragmented ip packets

From: Ankith Agarwal <ankitha () cdac in>
Date: Tue, 23 Nov 2010 22:14:08 +0530 (IST)
On Tue, Nov 23, 2010, Guy Harris <guy () alum mit edu> said:



On Nov 23, 2010, at 12:51 AM, Ankith Agarwal wrote:


 I am trying to filter all the SIP packets using pcap filter on ports of
5060 and 5061. But, some of the SIP packets are fragmented in the IP layer
because of their size (greater than MTU). I wanted to know whether the
pcap_loop api gives these packets by combinig it, or it just gives the
last fragment of the packet.


The pcap_loop API gives each *link-layer* packet, as received by the network adapter, that matches the filter.  The 
same is true of all other packet-reading APIs (pcap_dispatch(), pcap_next(), and pcap_next_ex()), as they all run 
atop the same underlying packet capture mechanism.

A fragmented IP datagram has the TCP or UDP header in the first fragment, so if your filter is filtering on a TCP or 
UDP port number, only the *FIRST* fragment will be delivered.  If you want to capture *ALL* fragments, you will 
either need to capture with a filter that doesn't specify a TCP or UDP port number (or anything else in the TCP or 
UDP header), or that specifies "either this port number *OR* not the first fragment", and discard fragments that 
aren't part of an interesting reassembled fragment yourself.

None of the libpcap/WinPcap APIs will reassemble packets for you; you will have to do the reassembly yourself (and 
discard fragments that aren't part of a packet sent to or from the ports you specify).

(This is presumably SIP-over-UDP; if it's SIP-over-TCP or SIP-over-SCTP, the packets are probably "fragmented" at the 
TCP or SCTP layer, not the IP layer.)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




-- 


Thank you for your valuable suggestions. I have tried out this filter
expression---"ip[6]&0x02 == 1 and (sip related port numbers)". But, if a
fragmented SIP packet is encountered, will this filter return the first
fragments as sip or the last fragment? 

Regards
Ankith

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: