<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Sam.Fielden@l-3com.com
href="mailto:Sam.Fielden@l-3com.com">Sam.Fielden@l-3com.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, April 18, 2007 12:48
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?</DIV>
<DIV><FONT size=2></FONT><BR></DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>I have written
code to reassemble fragmented IP messages and I have a system that is
generating fragmented (Ethernet) messages which I can successfully capture
using WireShark (all fragments!). However my "packet_handler(...)" method
never receives the subsequent fragments, only ever the first (with
"ip_header.flags" == 1 and "ip_header.offset" == 0).</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>As an example
every time I enter the "packet_handler(...)" method the
"ip_header.identification" always increments by a value of 1. It is my
understanding that fragmented IP packets have the same
"ip_header.identification" value so this can be used for reassembling the
complete message.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>I feel like I'm
missing something obvious, do I need to 'request' the next fragment from the
WinPCap interface or should it arrive, at my "packet_handler(...)"
method, in sequence like it does in WireShark??</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT></FONT> </DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007>Are you using a capture filter for that? Wireshark uses
winpcap to capture packets, you do not need to request any subsequent frame in
an IP fragment. WinPcap has no concept of IP fragments, it just captures
ethernet (or any other link layer) packets.</SPAN></FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV></FONT>
<DIV align=left>
<DIV align=left><FONT face=Arial size=2><STRONG>Sam
Fielden</STRONG></FONT></DIV>
<DIV align=left><FONT face=Arial size=1></FONT> </DIV>
<DIV align=left><FONT face=Arial size=1>Software Engineer</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Beca Applied Technologies
Ltd</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>10001 Jack Finney Blvd</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Greenville, Texas, 75402</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Bldg. 208. CBN011</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Ph. (903) 457-4767</FONT></DIV>
<DIV align=left><FONT face=Arial size=1></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><EM>Only Bikers understand why dogs
love to stick their heads out car windows.</EM></FONT></DIV></DIV>
<DIV> </DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>