Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] How to capture all IP fragments?

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Tue, 29 Apr 2008 12:48:17 -0400
In Wireshark, if I want to capture UDP traffic on a specific port (say
port 50000 for purposes of this discussion), I can easily set a capture
filter as "udp port 50000", and I get all the traffic I'm interested in,
including all IP fragments.

However, I have written my own pcap-based capturing tool, and if I use
the same capture filter, I don't get all the IP fragments (just the 1st
one).  I have to use "udp port 50000 or (ip[6:2] & 0x2000 = 0x2000 or
ip[6:2] & 0x1fff !=0x0000)" in order to get all the fragments, but with
that filter, I would also get fragments for all other ports, which is
not what I want.  I tried those exact same filters with tcpdump, and I
got the exact same results.

So, how does Wireshark handle this?  I guess there is some magic filter
"behind the scenes" similar to what I have shown above for capturing IP
fragments that takes care of the IP fragment capturing as well?  I'm not
really familiar with how the capture filters work on Wireshark.

Sorry if this post is better suited to the tcpdump (or possibly even the
winpcap) mailing list(s), but Wireshark seems to have solved this quirk
quite well, so I thought I would try here first.

- Chris
BTW: I'm using libpcap 0.9.8 with my own capture tool, but both
Wireshark and tcpdump are using libpcap 0.8.3.