Wireshark · Wireshark-dev: Re: [Wireshark-dev] How to capture all IP fragments?

Wireshark-dev: Re: [Wireshark-dev] How to capture all IP fragments?

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Tue, 29 Apr 2008 13:59:37 -0700


On Apr 29, 2008, at 9:48 AM, Maynard, Chris wrote:

In Wireshark, if I want to capture UDP traffic on a specific port (say
port 50000 for purposes of this discussion), I can easily set acapturefilter as "udp port 50000", and I get all the traffic I'm interestedin,
including all IP fragments.

Only if you don't have any fragmented IP datagrams. If you get anyfragments other than the first fragment with that capture filter, thatwould be a miracle.

So, how does Wireshark handle this? I guess there is some magicfilter"behind the scenes" similar to what I have shown above for capturingIP
fragments that takes care of the IP fragment capturing as well?

Nope. It handles it by not handling it; as indicated, perhaps somemiracle happened, but Wireshark just passes the capture filter on topcap_compile().

Follow-Ups:
- Re: [Wireshark-dev] How to capture all IP fragments?
  - From: Maynard, Chris

References:
- [Wireshark-dev] How to capture all IP fragments?
  - From: Maynard, Chris

Prev by Date: Re: [Wireshark-dev] g_ascii_strcasecmp.c and friends
Next by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on Windows-XP-x86
Previous by thread: [Wireshark-dev] How to capture all IP fragments?
Next by thread: Re: [Wireshark-dev] How to capture all IP fragments?
Index(es):
- Date
- Thread