On Nov 23, 2010, at 12:51 AM, Ankith Agarwal wrote: > I am trying to filter all the SIP packets using pcap filter on ports of > 5060 and 5061. But, some of the SIP packets are fragmented in the IP layer > because of their size (greater than MTU). I wanted to know whether the > pcap_loop api gives these packets by combinig it, or it just gives the > last fragment of the packet.
The pcap_loop API gives each *link-layer* packet, as received by the network adapter, that matches the filter. The same is true of all other packet-reading APIs (pcap_dispatch(), pcap_next(), and pcap_next_ex()), as they all run atop the same underlying packet capture mechanism. A fragmented IP datagram has the TCP or UDP header in the first fragment, so if your filter is filtering on a TCP or UDP port number, only the *FIRST* fragment will be delivered. If you want to capture *ALL* fragments, you will either need to capture with a filter that doesn't specify a TCP or UDP port number (or anything else in the TCP or UDP header), or that specifies "either this port number *OR* not the first fragment", and discard fragments that aren't part of an interesting reassembled fragment yourself. None of the libpcap/WinPcap APIs will reassemble packets for you; you will have to do the reassembly yourself (and discard fragments that aren't part of a packet sent to or from the ports you specify). (This is presumably SIP-over-UDP; if it's SIP-over-TCP or SIP-over-SCTP, the packets are probably "fragmented" at the TCP or SCTP layer, not the IP layer.) - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
