Re: fragmented ip packets

[Christopher Maynard <Chris.Maynard () gtech com>]

Ankith Agarwal <ankitha <at> cdac.in> writes:

> Thank you for your valuable suggestions. I have tried out this filter
> expression---"ip[6]&0x02 == 1 and (sip related port numbers)". But, if a
> fragmented SIP packet is encountered, will this filter return the first
> fragments as sip or the last fragment? 

Here's a filter that will match all fragments:
"ip[6:2] & 0x3fff != 0x0000"

Essentially, it is a combination of the following two filters:
"ip[6:2] & 0x2000 == 0x2000"
"ip[6:2] & 0x1fff != 0x0000"

The first filter checks if the "More Fragments" bit is set, so it will match all
fragments except for the last one.  The second filter checks if the fragment
offset is non-zero, so it will match all fragments except for the first one. 
Used together, you will get all IP fragments.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.