[tcpdump-workers] IP fragments do not show protocol

Crist J. Clark Fri, 19 Oct 2001 05:49:03 -0700

The latest version of tcpdump that I have prints IP fragments like so,

  15:30:10.079827 192.168.64.60.256409830 > 192.168.64.50.2049: 1472 write [|nfs] 
(frag 24200:1480@0+)
  15:30:10.079833 192.168.64.60 > 192.168.64.50: (frag 24200:1480@1480+)
  15:30:10.079837 192.168.64.60 > 192.168.64.50: (frag 24200:248@2960)


It is obvious in this context, that the fragments correspond to the
first datagram. However, strictly speaking, there is information about
the fragments missing.

IP fragments are reassembled by ensuring that the,

  ( <src_addr>, <dst_addr>, <ip_id>, <proto> )

Quartet is the same for each datagram. In the above tcpdump output we
have everything except the protocol.

I made a quick patch to print-ip.c to print the protocol for
fragments. I built and tested the patch on FreeBSD. I am not sure how
portable it would be, but it serves as a demonstration. Fragmentation
like that seen above is now displayed like,

  17:03:32.670711 192.168.64.50.2049 > 192.168.64.60.256426538: reply ok 1472 read 
(frag 35718:1480@0+)
  17:03:32.670718 192.168.64.50 > 192.168.64.60: udp (frag 35718:1480@1480+)
  17:03:32.670724 192.168.64.50 > 192.168.64.60: udp (frag 35718:1480@2960+)
  17:03:32.670731 192.168.64.50 > 192.168.64.60: udp (frag 35718:1480@4440+)
  17:03:32.670738 192.168.64.50 > 192.168.64.60: udp (frag 35718:736@5920)

Index: print-ip.c
===================================================================
RCS file: /export/ncvs/src/contrib/tcpdump/print-ip.c,v
retrieving revision 1.8
diff -u -r1.8 print-ip.c
--- print-ip.c  2001/04/03 07:50:46     1.8
+++ print-ip.c  2001/10/19 00:03:06
@@ -36,6 +36,7 @@
 
 #include <netinet/in.h>
 
+#include <netdb.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -516,6 +517,8 @@
         */
        len = len0;     /* get the original length */
        if (off & 0x3fff) {
+               struct protoent *proto;
+         
                /*
                 * if this isn't the first frag, we're missing the
                 * next level protocol header.  print the ip addr.
@@ -523,6 +526,14 @@
                if (off & 0x1fff)
                        (void)printf("%s > %s:", ipaddr_string(&ip->ip_src),
                                      ipaddr_string(&ip->ip_dst));
+               /*
+                * Print the protocol for non-initial fragments.
+                */
+               if (off & 0x1ff)
+                       if ((proto = getprotobynumber(ip->ip_p)) != NULL)
+                               (void)printf(" %s", proto->p_name);
+                       else
+                               (void)printf(" ip-proto-%d", ip->ip_p);
 #ifndef IP_MF
 #define IP_MF 0x2000
 #endif /* IP_MF */

-- 
Crist J. Clark                     |     [EMAIL PROTECTED]
                                   |     [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/    |     [EMAIL PROTECTED]

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

[tcpdump-workers] IP fragments do not show protocol

Reply via email to