In some email I received from Hans Klute, sie wrote: [ Charset ISO-8859-1 unsupported, converting... ] > Hi! > > I just realized a bug/feature of pcap that I didn?t think of. > I wrote a sniffer based on pcap. This sniffer can handle fragmented IP > packets. Now I realized that if you set up a filter with a UDP or TCP port, > you will not get the additional fragments, because in these packets there > are no UDP/TCP headers present from which you can get a port number. So I > want to ask if it is possible to modify pcap behaviour and where to start. > You can tell that a packet should be passed up if the ID in the IP header > matches, the problem of course is if a fragment arrives before the first > packet. I would prefer a modification in pcap, instead of the sniffer, > regarding performance. > > Any suggestions?
You could write a BPF expression to match a particular packet id#. Darren - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
