<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:o =
"urn:schemas-microsoft-com:office:office"><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3059" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><SPAN class=234130018-30042007><FONT face=Arial color=#0000ff
size=2>Ahhhhh... yes now that you point it out I understand perfectly, as I am
filtering with a port number (which resides in either the TCP or UDP header) I
am essentially ignoring all fragments subsequent to the first (which has the
TCP/UDP header). </FONT></SPAN></DIV>
<DIV><SPAN class=234130018-30042007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=234130018-30042007><FONT face=Arial color=#0000ff size=2>So
often one cannot see the forest for the trees...</FONT></SPAN></DIV>
<DIV><SPAN class=234130018-30042007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=234130018-30042007><FONT face=Arial color=#0000ff size=2>Thanks
for your help!</FONT></SPAN></DIV>
<DIV><SPAN class=234130018-30042007><FONT face=Arial color=#0000ff
size=2>Sam</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org]
<B>On Behalf Of </B>Gianluca Varenni<BR><B>Sent:</B> Monday, April 30, 2007
12:42 PM<BR><B>To:</B> winpcap-users@winpcap.org<BR><B>Subject:</B> Re:
[Winpcap-users] Problem Reassembling IP Packets,missing
packet-fragments!?<BR><BR></FONT></DIV>
<DIV><FONT size=2>The filter you are using discards IP fragments. The problem
is that the filtering engine is stateless, it has no concept of IP reassembly.
So if you filter on a TCP port, it will only accept packets that do contain a
valid UDP header. If you try the same capture filter within Wireshark, you
will obtain the same result (only the first fragment captured). The only
solution to the problem is filtering on IP addresses with a BPF filter, and
then filtering on UDP ports on your own after IP reassembly.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Hope it helps</FONT></DIV>
<DIV><FONT size=2>GV<BR></FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Sam.Fielden@l-3com.com
href="mailto:Sam.Fielden@l-3com.com">Sam.Fielden@l-3com.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, April 30, 2007 9:11
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?</DIV>
<DIV><FONT size=2></FONT><FONT size=2></FONT><BR></DIV>
<DIV><SPAN class=296545515-30042007><FONT face=Arial color=#0000ff
size=2>Gianluca,</FONT></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296545515-30042007><FONT face=Arial color=#0000ff size=2>I
am using a capture filter generated by the following code, note an example
of the filter is provided in the method documentation.</FONT></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><FONT color=#800000 size=2><FONT
face=Arial color=#0000ff></FONT></FONT></SPAN> </DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// generateIOFilter.</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// String* server : the ip address (ipv4) of the
server for the connection being monitored</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// String* client : the ip address (ipv4) of the
client for the connection being monitored</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// String* port : the port number used
for the connection being monitored</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// Updates the String* io_filter by adding the
details of the connection passed in.</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// EG. io_filter = "((ip host 192.168.162.1 or ip
host 192.168.162.2) and port 5566)"</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><FONT color=#800000>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">void</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000> M_Ethernet_Bus::generateIOFilter( String* server, String*
client, String* port )<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000>{<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: green">// make an array of the filter
tokens. Note that we have included spaces<SPAN
class=296545515-30042007>.</SPAN></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN style="mso-tab-count: 1"> </SPAN><SPAN
style="mso-spacerun: yes"> </SPAN>String* tokens[] = {</FONT><SPAN
style="COLOR: maroon">" ((ip host "</SPAN><FONT color=#000000>, server,
</FONT><SPAN style="COLOR: maroon">" or ip host "</SPAN><FONT
color=#000000>, client, </FONT><SPAN style="COLOR: maroon">")
and"</SPAN><FONT color=#000000>, </FONT><SPAN style="COLOR: maroon">" port
"</SPAN><FONT color=#000000>, port, </FONT><SPAN
style="COLOR: maroon">")"</SPAN><FONT
color=#000000>};<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><FONT
color=#000000> </FONT></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: green">// concatenate all the tokens into
one string<SPAN class=296545515-30042007>.</SPAN></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN style="mso-spacerun: yes">
</SPAN>String* io_filter_base =
String::Concat(tokens);<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><FONT
color=#000000> </FONT></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><SPAN
style="COLOR: green"><SPAN class=296545515-30042007>
</SPAN>// <SPAN class=296545515-30042007>ensure the filter string is
initialised and if it is, then concatenate to support
multiple</SPAN></SPAN></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><SPAN
style="COLOR: green"><SPAN class=296545515-30042007> //
connections.</SPAN></SPAN></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: blue">if</SPAN><FONT
color=#000000>(!io_filter)<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN
style="mso-spacerun: yes">
</SPAN>io_filter = </FONT><SPAN style="COLOR: maroon">""</SPAN><FONT
color=#000000>;<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: blue">else<o:p></o:p></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN
style="mso-spacerun: yes">
</SPAN>io_filter = String::Concat(io_filter, </FONT><SPAN
style="COLOR: maroon">" or"</SPAN><FONT
color=#000000>);<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><FONT
color=#000000> </FONT></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: green">// finally put it all together<SPAN
class=296545515-30042007>.</SPAN></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN style="mso-spacerun: yes">
</SPAN>io_filter = String::Concat(io_filter,
io_filter_base);<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000>}</FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000 size=2></FONT></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial color=#0000ff>It is not my
understanding that using this filter will prevent the subsequent fragments
being received by the <FONT
face="Courier New"><STRONG>packet_handler(...)</STRONG></FONT> method,
please correct me if this is wrong. When using WireShark (and debugging my
code simultaneously) I can see the fragments being received in order, yet
they are never passed to the <STRONG><FONT
face="Courier New">packet_handler(...)</FONT></STRONG>
method.</FONT></SPAN></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial
color=#0000ff></FONT></SPAN></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial color=#0000ff>Thanks for taking
the time to peruse this with me.</FONT></SPAN></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial
color=#0000ff></FONT></SPAN></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial color=#0000ff>Regards,
Sam.</FONT></SPAN></SPAN></P></DIV></FONT></SPAN>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
winpcap-users-bounces@winpcap.org
[mailto:winpcap-users-bounces@winpcap.org] <B>On Behalf Of </B>Gianluca
Varenni<BR><B>Sent:</B> Friday, April 27, 2007 4:30 PM<BR><B>To:</B>
winpcap-users@winpcap.org<BR><B>Subject:</B> Re: [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?<BR><BR></FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Sam.Fielden@l-3com.com
href="mailto:Sam.Fielden@l-3com.com">Sam.Fielden@l-3com.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, April 18, 2007
12:48 PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?</DIV>
<DIV><FONT size=2></FONT><BR></DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>I have
written code to reassemble fragmented IP messages and I have a system
that is generating fragmented (Ethernet) messages which I can
successfully capture using WireShark (all fragments!). However my
"packet_handler(...)" method never receives the subsequent fragments,
only ever the first (with "ip_header.flags" == 1 and "ip_header.offset"
== 0).</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>As an
example every time I enter the "packet_handler(...)" method the
"ip_header.identification" always increments by a value of 1. It is my
understanding that fragmented IP packets have the same
"ip_header.identification" value so this can be used for reassembling
the complete message.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>I feel like
I'm missing something obvious, do I need to 'request' the next fragment
from the WinPCap interface or should it arrive, at my
"packet_handler(...)" method, in sequence like it does in
WireShark??</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT></FONT> </DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007>Are you using a capture filter for that?
Wireshark uses winpcap to capture packets, you do not need to request any
subsequent frame in an IP fragment. WinPcap has no concept of IP
fragments, it just captures ethernet (or any other link layer)
packets.</SPAN></FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV></FONT>
<DIV align=left>
<DIV align=left><FONT face=Arial size=2><STRONG>Sam
Fielden</STRONG></FONT></DIV>
<DIV align=left><FONT face=Arial size=1></FONT> </DIV>
<DIV align=left><FONT face=Arial size=1>Software Engineer</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Beca Applied Technologies
Ltd</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>10001 Jack Finney
Blvd</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Greenville, Texas,
75402</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Bldg. 208. CBN011</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Ph. (903) 457-4767</FONT></DIV>
<DIV align=left><FONT face=Arial size=1></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><EM>Only Bikers understand why
dogs love to stick their heads out car windows.</EM></FONT></DIV></DIV>
<DIV> </DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>