Wireshark · Ethereal-dev: Re: [Ethereal-dev] Bug in ethereal filtering on DF (Don't Fragment) flag?

Ethereal-dev: Re: [Ethereal-dev] Bug in ethereal filtering on DF (Don't Fragment) flag?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>

Date: Thu, 31 Mar 2005 16:06:27 +1000

the filter   "ip.flags.df"   will check if the field DF exists in the
packet or not, regardless of what value it has (i.e. if it is SET or
CLEAR).
It will essentially find all IP packets  since every IP packet has a
DF flag (which is either SET or CLEAR).

In the same way "!ip.flags.df" will only match packets where there is
no df field at all ==> it will match all non-IP packets.


I see you have one packet that is ICMP.  Please note that the ICMP
packet will contain 2 IP headers and thus 2 fields "ip.flags.df" which
can match a filter.



On Wed, 30 Mar 2005 17:21:28 -0800, Andy Fingerhut <jafingerhut@xxxxxxx> wrote:
> I have a pcap file (attached as two-ip-pkts.pcap) with two IP packets.
> Frame 1 has the DF (Don't Fragment) bit equal to 1.  Frame 2 has DF=0.
> This is easily confirmed with:
> 
> tethereal -r two-ip-pkts.pcap -V
> 
> Also attached is a short shell script repro.sh that I used on a Linux
> 2.4.21 kernel x86 machine to produce the output shown in the attached
> file linux-2.4-repro-output.txt.  I got the same results on a Mac OS X
> 10.3.8 machine running tethereal 0.10.3.
> 
> I haven't checked on other similar fragmentation flags, but if someone
> fixes this, it would be good to see if other IP header fields have
> similar bugs.
> 
> Thanks,
> Andy Fingerhut
> 
> 
> #! /bin/sh
> 
> TETHEREAL=~/sw/ethereal-0.10.10/tethereal
> PCAPFILE=two-ip-pkts.pcap
> 
> echo "% uname -a"
> uname -a
> echo "% $TETHEREAL -v"
> $TETHEREAL -v
> echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags.df'"
> $TETHEREAL -r $PCAPFILE -R 'ip.flags.df'
> echo "% $TETHEREAL -r $PCAPFILE -R '!ip.flags.df'"
> $TETHEREAL -r $PCAPFILE -R '!ip.flags.df'
> echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 0'"
> $TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 0'
> echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 1'"
> $TETHEREAL -r $PCAPFILE -R 'ip.flags.df == 1'
> echo "% $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)'"
> $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)'
> echo "% $TETHEREAL -r $PCAPFILE -R 'ip.flags & 0x0400'"
> $TETHEREAL -r $PCAPFILE -R 'ip.flags & 0x0400'
> echo "% $TETHEREAL -r $PCAPFILE -R '!(ip.flags & 0x4000)'"
> $TETHEREAL -r $PCAPFILE -R '!(ip.flags & 0x4000)'
> echo "% $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==0'"
> $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==0'
> echo "% $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==1'"
> $TETHEREAL -r $PCAPFILE -R '(ip.flags & 0x4000)==1'
> 
> 
> % uname -a
> Linux wilma.netsift.net 2.4.21-20.0.1.ELsmp #1 SMP Wed Nov 24 20:34:01 EST 2004 i686 i686 i386 GNU/Linux
> % /home/afinger/sw/ethereal-0.10.10/tethereal -v
> tethereal 0.10.10
> Compiled with GLib 2.2.3, with libpcap 0.8.3, with libz 1.1.4, without libpcre,
> without UCD-SNMP or Net-SNMP, without ADNS.
> NOTE: this build doesn't support the "matches" operator for Ethereal filter
> syntax.
> Running with libpcap version 0.8.3 on Linux 2.4.21-20.0.1.ELsmp.
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags.df'
>  1   0.000000 66.50.230.130 -> 207.167.68.223 DCERPC Request: call_id: 1 opnum: 9 ctx_id: 0
>  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '!ip.flags.df'
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags.df == 0'
>  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags.df == 1'
>  1   0.000000 66.50.230.130 -> 207.167.68.223 DCERPC Request: call_id: 1 opnum: 9 ctx_id: 0
>  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '(ip.flags & 0x4000)'
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R 'ip.flags & 0x0400'
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '!(ip.flags & 0x4000)'
>  1   0.000000 66.50.230.130 -> 207.167.68.223 DCERPC Request: call_id: 1 opnum: 9 ctx_id: 0
>  2   0.000025 192.168.16.101 -> 66.63.235.88 ICMP Destination unreachable (Host unreachable)
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '(ip.flags & 0x4000)==0'
> tethereal: Syntax error.
> % /home/afinger/sw/ethereal-0.10.10/tethereal -r two-ip-pkts.pcap -R '(ip.flags & 0x4000)==1'
> tethereal: Syntax error.
> 
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
> 
> 
> 
>

Follow-Ups:
- Re: [Ethereal-dev] Bug in ethereal filtering on DF (Don't Fragment) flag?
  - From: Guy Harris

References:
- [Ethereal-dev] Bug in ethereal filtering on DF (Don't Fragment) flag?
  - From: Andy Fingerhut

Prev by Date: [Ethereal-dev] RE : Problem when analayzing TPDU UDHI / GSM 03.40 Protocol
Next by Date: [Ethereal-dev] Buildbot crash output
Previous by thread: [Ethereal-dev] Bug in ethereal filtering on DF (Don't Fragment) flag?
Next by thread: Re: [Ethereal-dev] Bug in ethereal filtering on DF (Don't Fragment) flag?
Index(es):
- Date
- Thread