We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] fragmented IP packets

From: Marcin <buscin@xxxxxxxxxx>
Date: Wed, 19 Sep 2007 14:40:48 +0200
Ok. when I read trace with tshark option –X it gives me reassembled packet payload in the very last packet. Problem is that when I use –r option to write it to other file it puts there only fragmented part of the packet not the reassembled one. Do you have any clue for this?



Marcin pisze:
Ok thanks! Another question is:

My case is bit particular. My trace consists of:

1) UDP packets of interest, identified by the particular payload bytes (most of them are fragmented) 2) All the IP packets that are fragmented (this is done in such way to be able to catch all the parts)

So my trace is huge, can I make tshark to reassemble only the packets that interest me? I’m worried about the performance in other case.

Also what I will see in the output trace? Only reassembled packets or also the fragmented parts?


Joerg Mayer pisze:
On Wed, Sep 19, 2007 at 11:09:41AM +0200, Marcin wrote:
Is there a way to merge all the fragmented IP packets and them output them into separate trace? I Would need smth. like:
tshark ???r intrace ???w outrace
to have all the packets merged inside the outrace. I then need to access full payload of the merged packets.

In a newly installed setting wireshark (and tshark) will automagically
reassemble fragmented ip packets: The last fragment will dissect like
the whole packet. This behaviour can be changed via preferences.


To takie proste - u�yj telefonu



Wireshark-users mailing list

To takie proste - u�yj telefonu