[Winpcap-users] Problem Reassembling IP Packets,
missing packet-fragments!?
Gianluca Varenni
gianluca.varenni at cacetech.com
Mon Apr 30 17:42:07 GMT 2007
MessageThe filter you are using discards IP fragments. The problem is that the filtering engine is stateless, it has no concept of IP reassembly. So if you filter on a TCP port, it will only accept packets that do contain a valid UDP header. If you try the same capture filter within Wireshark, you will obtain the same result (only the first fragment captured). The only solution to the problem is filtering on IP addresses with a BPF filter, and then filtering on UDP ports on your own after IP reassembly.
Hope it helps
GV
----- Original Message -----
From: Sam.Fielden at l-3com.com
To: winpcap-users at winpcap.org
Sent: Monday, April 30, 2007 9:11 AM
Subject: RE: [Winpcap-users] Problem Reassembling IP Packets,missing packet-fragments!?
Gianluca,
I am using a capture filter generated by the following code, note an example of the filter is provided in the method documentation.
// generateIOFilter.
// String* server : the ip address (ipv4) of the server for the connection being monitored
// String* client : the ip address (ipv4) of the client for the connection being monitored
// String* port : the port number used for the connection being monitored
// Updates the String* io_filter by adding the details of the connection passed in.
// EG. io_filter = "((ip host 192.168.162.1 or ip host 192.168.162.2) and port 5566)"
void M_Ethernet_Bus::generateIOFilter( String* server, String* client, String* port )
{
// make an array of the filter tokens. Note that we have included spaces.
String* tokens[] = {" ((ip host ", server, " or ip host ", client, ") and", " port ", port, ")"};
// concatenate all the tokens into one string.
String* io_filter_base = String::Concat(tokens);
// ensure the filter string is initialised and if it is, then concatenate to support multiple
// connections.
if(!io_filter)
io_filter = "";
else
io_filter = String::Concat(io_filter, " or");
// finally put it all together.
io_filter = String::Concat(io_filter, io_filter_base);
}
It is not my understanding that using this filter will prevent the subsequent fragments being received by the packet_handler(...) method, please correct me if this is wrong. When using WireShark (and debugging my code simultaneously) I can see the fragments being received in order, yet they are never passed to the packet_handler(...) method.
Thanks for taking the time to peruse this with me.
Regards, Sam.
-----Original Message-----
From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
Sent: Friday, April 27, 2007 4:30 PM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Problem Reassembling IP Packets,missing packet-fragments!?
----- Original Message -----
From: Sam.Fielden at l-3com.com
To: winpcap-users at winpcap.org
Sent: Wednesday, April 18, 2007 12:48 PM
Subject: [Winpcap-users] Problem Reassembling IP Packets,missing packet-fragments!?
I have written code to reassemble fragmented IP messages and I have a system that is generating fragmented (Ethernet) messages which I can successfully capture using WireShark (all fragments!). However my "packet_handler(...)" method never receives the subsequent fragments, only ever the first (with "ip_header.flags" == 1 and "ip_header.offset" == 0).
As an example every time I enter the "packet_handler(...)" method the "ip_header.identification" always increments by a value of 1. It is my understanding that fragmented IP packets have the same "ip_header.identification" value so this can be used for reassembling the complete message.
I feel like I'm missing something obvious, do I need to 'request' the next fragment from the WinPCap interface or should it arrive, at my "packet_handler(...)" method, in sequence like it does in WireShark??
Are you using a capture filter for that? Wireshark uses winpcap to capture packets, you do not need to request any subsequent frame in an IP fragment. WinPcap has no concept of IP fragments, it just captures ethernet (or any other link layer) packets.
Sam Fielden
Software Engineer
Beca Applied Technologies Ltd
10001 Jack Finney Blvd
Greenville, Texas, 75402
Bldg. 208. CBN011
Ph. (903) 457-4767
Only Bikers understand why dogs love to stick their heads out car windows.
--------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
------------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070430/87c41dc9/attachment-0001.htm
More information about the Winpcap-users
mailing list