[Winpcap-users] Problem Reassembling IP Packets, missing packet-fragments!?

Sam.Fielden at L-3com.com Sam.Fielden at L-3com.com
Mon Apr 30 18:06:58 GMT 2007 

Ahhhhh... yes now that you point it out I understand perfectly, as I am
filtering with a port number (which resides in either the TCP or UDP
header) I am essentially ignoring all fragments subsequent to the first
(which has the TCP/UDP header). 
 
So often one cannot see the forest for the trees...
 
Thanks for your help!
Sam

	-----Original Message-----
	From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
	Sent: Monday, April 30, 2007 12:42 PM
	To: winpcap-users at winpcap.org
	Subject: Re: [Winpcap-users] Problem Reassembling IP
Packets,missing packet-fragments!?
	
	
	The filter you are using discards IP fragments. The problem is
that the filtering engine is stateless, it has no concept of IP
reassembly. So if you filter on a TCP port, it will only accept packets
that do contain a valid UDP header. If you try the same capture filter
within Wireshark, you will obtain the same result (only the first
fragment captured). The only solution to the problem is filtering on IP
addresses with a BPF filter, and then filtering on UDP ports on your own
after IP reassembly.
	 
	Hope it helps
	GV
	

		----- Original Message ----- 
		From: Sam.Fielden at l-3com.com 
		To: winpcap-users at winpcap.org 
		Sent: Monday, April 30, 2007 9:11 AM
		Subject: RE: [Winpcap-users] Problem Reassembling IP
Packets,missing packet-fragments!?
		
		
		Gianluca,
		 
		I am using a capture filter generated by the following
code, note an example of the filter is provided in the method
documentation.
		 
		// generateIOFilter.
		// String* server : the ip address (ipv4) of the server
for the connection being monitored
		// String* client : the ip address (ipv4) of the client
for the connection being monitored
		// String* port   : the port number used for the
connection being monitored
		// Updates the String* io_filter by adding the details
of the connection passed in.
		// EG. io_filter = "((ip host 192.168.162.1 or ip host
192.168.162.2) and port 5566)"
		void M_Ethernet_Bus::generateIOFilter( String* server,
String* client, String* port )

		{

		    // make an array of the filter tokens. Note that we
have included spaces.

		    String* tokens[] = {" ((ip host ", server, " or ip
host ", client, ") and", " port ", port, ")"};

		 

		    // concatenate all the tokens into one string.

		    String* io_filter_base = String::Concat(tokens);

		 

		    // ensure the filter string is initialised and if it
is, then concatenate to support multiple

		    // connections.

		    if(!io_filter)

		        io_filter = "";

		    else

		        io_filter = String::Concat(io_filter, " or");

		 

		    // finally put it all together.

		    io_filter = String::Concat(io_filter,
io_filter_base);

		}

		 

		It is not my understanding that using this filter will
prevent the subsequent fragments being received by the
packet_handler(...) method, please correct me if this is wrong. When
using WireShark (and debugging my code simultaneously) I can see the
fragments being received in order, yet they are never passed to the
packet_handler(...) method.

		 

		Thanks for taking the time to peruse this with me.

		 

		Regards, Sam.

			-----Original Message-----
			From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
			Sent: Friday, April 27, 2007 4:30 PM
			To: winpcap-users at winpcap.org
			Subject: Re: [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?
			
			
			 

				----- Original Message ----- 
				From: Sam.Fielden at l-3com.com 
				To: winpcap-users at winpcap.org 
				Sent: Wednesday, April 18, 2007 12:48 PM
				Subject: [Winpcap-users] Problem
Reassembling IP Packets,missing packet-fragments!?
				
				
				I have written code to reassemble
fragmented IP messages and I have a system that is generating fragmented
(Ethernet) messages which I can successfully capture using WireShark
(all fragments!). However my "packet_handler(...)" method never receives
the subsequent fragments, only ever the first (with "ip_header.flags" ==
1 and "ip_header.offset" == 0).
				 
				As an example every time I enter the
"packet_handler(...)" method the "ip_header.identification" always
increments by a value of 1. It is my understanding that fragmented IP
packets have the same "ip_header.identification" value so this can be
used for reassembling the complete message.
				 
				I feel like I'm missing something
obvious, do I need to 'request' the next fragment from the WinPCap
interface or should it arrive, at my "packet_handler(...)" method, in
sequence like it does in WireShark??
				 
				 

			Are you using a capture filter for that?
Wireshark uses winpcap to capture packets, you do not need to request
any subsequent frame in an IP fragment. WinPcap has no concept of IP
fragments, it just captures ethernet (or any other link layer) packets.

				 
				 
				Sam Fielden
				 
				Software Engineer
				Beca Applied Technologies Ltd
				10001 Jack Finney Blvd
				Greenville, Texas, 75402
				Bldg. 208. CBN011
				Ph. (903) 457-4767
				 
				Only Bikers understand why dogs love to
stick their heads out car windows.
				 

				
________________________________


				

	
_______________________________________________
				Winpcap-users mailing list
				Winpcap-users at winpcap.org
	
https://www.winpcap.org/mailman/listinfo/winpcap-users
				

		
________________________________


		

		_______________________________________________
		Winpcap-users mailing list
		Winpcap-users at winpcap.org
		https://www.winpcap.org/mailman/listinfo/winpcap-users
		

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20070430/ead9716d/attachment.htm

More information about the Winpcap-users mailing list