Hello Guy Harris
Thanks for the detailed answer!
David Front
CERN IT
----- Original Message -----
From: "Guy Harris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 25, 2004 8:18 PM
Subject: Re: [tcpdump-workers] 'tcpdump -s0' payload length limit?
>
> On Aug 25, 2004, at 11:09 AM, Guy Harris wrote:
>
> > Note, however, that the reassembly is *NOT* done at the low-layer
> > capture level, so a capture filter of "port 12509" will only capture
> > the first fragment of a fragmented datagram, and Ethereal and
> > Tethereal will *NOT* be able to reassemble the packet. You would have
> > to specify a filter that looks only at the IP headers, such as a
> > filter that checks for UDP, or that checks for UDP traffic between two
> > particular hosts, in order to capture *all* the fragments.
>
> Or you could use a filter that captures traffic to/from port 12509 *or*
> that has a non-zero fragment offset, so it captures port 12509 traffic
> *and* all fragments other than first/only fragments. That might
> capture fragments that you don't need, but that's the best you can do.
> Constructing such a filter is left as an exercise to the reader.
>
> Such a filter, used with tcpdump, would get the subsequent fragments;
> tcpdump wouldn't reassemble them, but it'd at least print them, which
> might be enough.
>
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.
>
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
