Wireshark-dev: Re: [Wireshark-dev] How to handle duplicate fragments for a plugin written on to
From: Jeff Morriss <[email protected]>
Date: Thu, 26 Mar 2009 09:38:59 -0400

siri m wrote:

We have a legacy custom plugin (written on top of UDP), which handles multicast packets which may be fragmented, which works fine for normal scenarios. However, the plugin fails to decode for the cases where there can be duplicate fragments (for eg. one coming from the actual host and another one from a firewall). The fragments are exactly the same excepting that the ethernet source address is different.
Can someone give me pointers as to how we could handle this special case 
when re-assembling the fragments? Is there a way to ignore packets 
coming from the firewall? Are there any sample plugins that have handled 
this case, which I can refer to?
Do the fragments have sequence numbers?  If so your reassembly code 
could check them and drop the duplicates.  I think/imagine that's how 
most dissectors handle reassembly.