On Jul 1, 2004, at 2:50 AM, [EMAIL PROTECTED] wrote:
tcpdump doesn't have any specific facility to handle fragmented packets,
as far as I know (it cannot reassemble the fragments).
That capability could be added (Ethereal supports it), although, if provided, it should be an option (as reassembly would consume extra memory - it's an option in Ethereal).
However, that wouldn't help in the packet filtering; neither tcpdump nor Ethereal nor any other program using libpcap/WinPcap to capture traffic can arrange, with a capture filter, to capture all fragments of traffic between two particular transport-layer endpoints, because BPF isn't stateful and can't remember that, if it sees the first fragment of a fragmented IP datagram, it should capture all other fragments between those two IP addresses with the same IP ID.
I.e., tcpdump *doesn't* handle that (and neither does Ethereal).
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
