Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How to capture all IP fragments?

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Wed, 30 Apr 2008 10:29:54 -0400
I must be losing my mind.  I tried this several times yesterday and I
could have sworn I captured all fragments with Wireshark but not with
tcpdump using the same exact capture filter.  Of course today I can't
recreate it, so obviously I was doing something wrong yesterday or just
wildly hallucinating.

OK, well then let me modify the question slightly.  Is there a way to
capture the IP fragments, but only those that are part of the "UDP
stream" I'm interested in?  In other words, if I send a 3K chunk of data
over UDP to port 50000, it will get broken up into 3 IP packets.  I want
to capture all 3 packets, but I don't want to capture any other IP
fragments.  I don't think it's possible via a capture filter but I
figured I would ask.  And so assuming you had other irrelevant IP
fragments in your capture file, is there a way to easily filter them out
using a display filter?  Even that seems difficult to me because I guess
you could use the IP's ID field, but that would only work for a single
instance, and of course I'm looking for the more general case.

- Chris

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, April 29, 2008 5:00 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How to capture all IP fragments?


On Apr 29, 2008, at 9:48 AM, Maynard, Chris wrote:

> In Wireshark, if I want to capture UDP traffic on a specific port (say
> port 50000 for purposes of this discussion), I can easily set a  
> capture
> filter as "udp port 50000", and I get all the traffic I'm interested  
> in,
> including all IP fragments.

Only if you don't have any fragmented IP datagrams.  If you get any  
fragments other than the first fragment with that capture filter, that  
would be a miracle.

> So, how does Wireshark handle this?  I guess there is some magic  
> filter
> "behind the scenes" similar to what I have shown above for capturing  
> IP
> fragments that takes care of the IP fragment capturing as well?

Nope.  It handles it by not handling it; as indicated, perhaps some  
miracle happened, but Wireshark just passes the capture filter on to  
pcap_compile().