<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:o =
"urn:schemas-microsoft-com:office:office"><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>The filter you are using discards IP fragments. The problem is
that the filtering engine is stateless, it has no concept of IP reassembly. So
if you filter on a TCP port, it will only accept packets that do contain a valid
UDP header. If you try the same capture filter within Wireshark, you will obtain
the same result (only the first fragment captured). The only solution to the
problem is filtering on IP addresses with a BPF filter, and then filtering on
UDP ports on your own after IP reassembly.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Hope it helps</FONT></DIV>
<DIV><FONT size=2>GV<BR></FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Sam.Fielden@l-3com.com
href="mailto:Sam.Fielden@l-3com.com">Sam.Fielden@l-3com.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, April 30, 2007 9:11
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?</DIV>
<DIV><FONT size=2></FONT><FONT size=2></FONT><BR></DIV>
<DIV><SPAN class=296545515-30042007><FONT face=Arial color=#0000ff
size=2>Gianluca,</FONT></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296545515-30042007><FONT face=Arial color=#0000ff size=2>I am
using a capture filter generated by the following code, note an example of the
filter is provided in the method documentation.</FONT></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><FONT color=#800000 size=2><FONT
face=Arial color=#0000ff></FONT></FONT></SPAN> </DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// generateIOFilter.</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// String* server : the ip address (ipv4) of the
server for the connection being monitored</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// String* client : the ip address (ipv4) of the
client for the connection being monitored</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// String* port : the port number used
for the connection being monitored</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// Updates the String* io_filter by adding the
details of the connection passed in.</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><SPAN style="COLOR: green"><FONT
face="Courier New" size=2>// EG. io_filter = "((ip host 192.168.162.1 or ip
host 192.168.162.2) and port 5566)"</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=296545515-30042007><FONT color=#800000>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'; mso-no-proof: yes">void</SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000> M_Ethernet_Bus::generateIOFilter( String* server, String*
client, String* port )<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000>{<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: green">// make an array of the filter
tokens. Note that we have included spaces<SPAN
class=296545515-30042007>.</SPAN></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN style="mso-tab-count: 1"> </SPAN><SPAN
style="mso-spacerun: yes"> </SPAN>String* tokens[] = {</FONT><SPAN
style="COLOR: maroon">" ((ip host "</SPAN><FONT color=#000000>, server,
</FONT><SPAN style="COLOR: maroon">" or ip host "</SPAN><FONT color=#000000>,
client, </FONT><SPAN style="COLOR: maroon">") and"</SPAN><FONT color=#000000>,
</FONT><SPAN style="COLOR: maroon">" port "</SPAN><FONT color=#000000>, port,
</FONT><SPAN style="COLOR: maroon">")"</SPAN><FONT
color=#000000>};<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><FONT
color=#000000> </FONT></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: green">// concatenate all the tokens into
one string<SPAN class=296545515-30042007>.</SPAN></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN style="mso-spacerun: yes">
</SPAN>String* io_filter_base =
String::Concat(tokens);<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><FONT
color=#000000> </FONT></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><SPAN
style="COLOR: green"><SPAN class=296545515-30042007>
</SPAN>// <SPAN class=296545515-30042007>ensure the filter string is
initialised and if it is, then concatenate to support
multiple</SPAN></SPAN></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><SPAN
style="COLOR: green"><SPAN class=296545515-30042007> //
connections.</SPAN></SPAN></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: blue">if</SPAN><FONT
color=#000000>(!io_filter)<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN
style="mso-spacerun: yes">
</SPAN>io_filter = </FONT><SPAN style="COLOR: maroon">""</SPAN><FONT
color=#000000>;<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: blue">else<o:p></o:p></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN
style="mso-spacerun: yes">
</SPAN>io_filter = String::Concat(io_filter, </FONT><SPAN
style="COLOR: maroon">" or"</SPAN><FONT
color=#000000>);<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><o:p><FONT
color=#000000> </FONT></o:p></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
style="mso-spacerun: yes"><FONT color=#000000>
</FONT></SPAN><SPAN style="COLOR: green">// finally put it all together<SPAN
class=296545515-30042007>.</SPAN></SPAN></SPAN></P>
<P class=MsoNormal
style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000><SPAN style="mso-spacerun: yes">
</SPAN>io_filter = String::Concat(io_filter,
io_filter_base);<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000>}</FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><FONT
color=#000000 size=2></FONT></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial color=#0000ff>It is not my
understanding that using this filter will prevent the subsequent fragments
being received by the <FONT
face="Courier New"><STRONG>packet_handler(...)</STRONG></FONT> method, please
correct me if this is wrong. When using WireShark (and debugging my code
simultaneously) I can see the fragments being received in order, yet they are
never passed to the <STRONG><FONT
face="Courier New">packet_handler(...)</FONT></STRONG>
method.</FONT></SPAN></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial
color=#0000ff></FONT></SPAN></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial color=#0000ff>Thanks for taking the
time to peruse this with me.</FONT></SPAN></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial
color=#0000ff></FONT></SPAN></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-no-proof: yes"><SPAN
class=296545515-30042007><FONT face=Arial color=#0000ff>Regards,
Sam.</FONT></SPAN></SPAN></P></DIV></FONT></SPAN>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org]
<B>On Behalf Of </B>Gianluca Varenni<BR><B>Sent:</B> Friday, April 27, 2007
4:30 PM<BR><B>To:</B> winpcap-users@winpcap.org<BR><B>Subject:</B> Re:
[Winpcap-users] Problem Reassembling IP Packets,missing
packet-fragments!?<BR><BR></FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Sam.Fielden@l-3com.com
href="mailto:Sam.Fielden@l-3com.com">Sam.Fielden@l-3com.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, April 18, 2007 12:48
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?</DIV>
<DIV><FONT size=2></FONT><BR></DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>I have written
code to reassemble fragmented IP messages and I have a system that is
generating fragmented (Ethernet) messages which I can successfully capture
using WireShark (all fragments!). However my "packet_handler(...)" method
never receives the subsequent fragments, only ever the first (with
"ip_header.flags" == 1 and "ip_header.offset" == 0).</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>As an example
every time I enter the "packet_handler(...)" method the
"ip_header.identification" always increments by a value of 1. It is my
understanding that fragmented IP packets have the same
"ip_header.identification" value so this can be used for reassembling the
complete message.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=734023319-18042007>I feel like
I'm missing something obvious, do I need to 'request' the next fragment
from the WinPCap interface or should it arrive, at my
"packet_handler(...)" method, in sequence like it does in
WireShark??</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT></FONT> </DIV></BLOCKQUOTE>
<DIV><FONT face=Arial size=2><FONT face=Arial size=2><SPAN
class=734023319-18042007>Are you using a capture filter for that? Wireshark
uses winpcap to capture packets, you do not need to request any subsequent
frame in an IP fragment. WinPcap has no concept of IP fragments, it just
captures ethernet (or any other link layer) packets.</SPAN></FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=734023319-18042007></SPAN></FONT> </DIV></FONT>
<DIV align=left>
<DIV align=left><FONT face=Arial size=2><STRONG>Sam
Fielden</STRONG></FONT></DIV>
<DIV align=left><FONT face=Arial size=1></FONT> </DIV>
<DIV align=left><FONT face=Arial size=1>Software Engineer</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Beca Applied Technologies
Ltd</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>10001 Jack Finney
Blvd</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Greenville, Texas,
75402</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Bldg. 208. CBN011</FONT></DIV>
<DIV align=left><FONT face=Arial size=1>Ph. (903) 457-4767</FONT></DIV>
<DIV align=left><FONT face=Arial size=1></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2><EM>Only Bikers understand why
dogs love to stick their heads out car windows.</EM></FONT></DIV></DIV>
<DIV> </DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>