[Winpcap-users] Problem Reassembling IP Packets, missing packet-fragments!?

Gianluca Varenni gianluca.varenni at cacetech.com
Mon Apr 30 17:42:07 GMT 2007 

MessageThe filter you are using discards IP fragments. The problem is that the filtering engine is stateless, it has no concept of IP reassembly. So if you filter on a TCP port, it will only accept packets that do contain a valid UDP header. If you try the same capture filter within Wireshark, you will obtain the same result (only the first fragment captured). The only solution to the problem is filtering on IP addresses with a BPF filter, and then filtering on UDP ports on your own after IP reassembly.

Hope it helps
GV

  ----- Original Message ----- 
  From: Sam.Fielden at l-3com.com 
  To: winpcap-users at winpcap.org 
  Sent: Monday, April 30, 2007 9:11 AM
  Subject: RE: [Winpcap-users] Problem Reassembling IP Packets,missing packet-fragments!?


  Gianluca,

  I am using a capture filter generated by the following code, note an example of the filter is provided in the method documentation.

  // generateIOFilter.
  // String* server : the ip address (ipv4) of the server for the connection being monitored
  // String* client : the ip address (ipv4) of the client for the connection being monitored
  // String* port   : the port number used for the connection being monitored
  // Updates the String* io_filter by adding the details of the connection passed in.
  // EG. io_filter = "((ip host 192.168.162.1 or ip host 192.168.162.2) and port 5566)"
  void M_Ethernet_Bus::generateIOFilter( String* server, String* client, String* port )

  {

      // make an array of the filter tokens. Note that we have included spaces.

      String* tokens[] = {" ((ip host ", server, " or ip host ", client, ") and", " port ", port, ")"};

   

      // concatenate all the tokens into one string.

      String* io_filter_base = String::Concat(tokens);

   

      // ensure the filter string is initialised and if it is, then concatenate to support multiple

      // connections.

      if(!io_filter)

          io_filter = "";

      else

          io_filter = String::Concat(io_filter, " or");

   

      // finally put it all together.

      io_filter = String::Concat(io_filter, io_filter_base);

  }



  It is not my understanding that using this filter will prevent the subsequent fragments being received by the packet_handler(...) method, please correct me if this is wrong. When using WireShark (and debugging my code simultaneously) I can see the fragments being received in order, yet they are never passed to the packet_handler(...) method.



  Thanks for taking the time to peruse this with me.



  Regards, Sam.

    -----Original Message-----
    From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
    Sent: Friday, April 27, 2007 4:30 PM
    To: winpcap-users at winpcap.org
    Subject: Re: [Winpcap-users] Problem Reassembling IP Packets,missing packet-fragments!?



      ----- Original Message ----- 
      From: Sam.Fielden at l-3com.com 
      To: winpcap-users at winpcap.org 
      Sent: Wednesday, April 18, 2007 12:48 PM
      Subject: [Winpcap-users] Problem Reassembling IP Packets,missing packet-fragments!?


      I have written code to reassemble fragmented IP messages and I have a system that is generating fragmented (Ethernet) messages which I can successfully capture using WireShark (all fragments!). However my "packet_handler(...)" method never receives the subsequent fragments, only ever the first (with "ip_header.flags" == 1 and "ip_header.offset" == 0).

      As an example every time I enter the "packet_handler(...)" method the "ip_header.identification" always increments by a value of 1. It is my understanding that fragmented IP packets have the same "ip_header.identification" value so this can be used for reassembling the complete message.

      I feel like I'm missing something obvious, do I need to 'request' the next fragment from the WinPCap interface or should it arrive, at my "packet_handler(...)" method, in sequence like it does in WireShark??


    Are you using a capture filter for that? Wireshark uses winpcap to capture packets, you do not need to request any subsequent frame in an IP fragment. WinPcap has no concept of IP fragments, it just captures ethernet (or any other link layer) packets.


      Sam Fielden

      Software Engineer
      Beca Applied Technologies Ltd
      10001 Jack Finney Blvd
      Greenville, Texas, 75402
      Bldg. 208. CBN011
      Ph. (903) 457-4767

      Only Bikers understand why dogs love to stick their heads out car windows.



--------------------------------------------------------------------------


      _______________________________________________
      Winpcap-users mailing list
      Winpcap-users at winpcap.org
      https://www.winpcap.org/mailman/listinfo/winpcap-users



------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070430/87c41dc9/attachment-0001.htm

More information about the Winpcap-users mailing list