Re: Wenfei: how does tcpdump filter packets?

[Guy Harris <guy () alum mit edu>]

On Jan 29, 2013, at 2:24 PM, Wenfei Wu <wenfeiwu () cs wisc edu> wrote:

> Thanks, this is really helpful.
> On Tue, Jan 29, 2013 at 3:21 PM, Guy Harris <guy () alum mit edu> wrote:
> er, so you can't check the TCP ports in tho

I'm not sure whether you intended to quote that part of my response, but, if you did, because handling fragmented IP 
datagrams is an issue:

If you want to filter based on TCP-level or UDP-level information, *and* you want to handle IP fragments, whatever 
software does the capturing and filtering will have to, when it sees a fragment that's either not the first fragment or 
that is the first fragment but not the last fragment, see whether other fragments of the same datagram have been seen.  
If so, then associate the new fragment with the other fragments; if all fragments have been seen, check whether the 
packet matches the filter (if all the information being checked is in the first fragment, you won't need to reassemble 
the packet to do that) and then treat all the fragments as having passed the filter.

That doesn't handle, for example, a case where you have a filter such as

        ether src host XX:XX:XX:XX:XX:XX and tcp port 80

and some, but not all, of the fragments are from MAC address XX:XX:XX:XX:XX:XX - I'm not sure what the right thing to 
do in that case would be.

It also makes in-order delivery of link-layer packets complicated, as some packets have to wait - if there are any 
unfinished fragmented packets, *all* packets would have to be queued up behind them and released when there are no 
remaining fragments with time stamps before those packets.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers