[Winpcap-users] Udp port filters with IP fragmentation

[Guy Harris]

On Nov 1, 2010, at 7:27 AM, Sassone, Ed wrote:

> If we have udp port filtering set up, IP fragmented packets past the first one will not be processed with the rest of the stream.

Yes, that is true, and not only on Windows - it's inherent in the packet filtering mechanisms in WinPcap and in UN*X systems, which do not maintain any state between packets.  Note also that there is no guarantee that fragments are delivered in order - at least at one point, Linux deliberately sent IP fragments in *reverse* order (so that the fragment that is first transmitted indicates the length of the reassembled packet; the IP reassembly code could, if it sees that packet first, allocate a buffer for it).  This means that a port filter would have to hold onto fragments until the first fragment is seen - it can't just remember the IP ID of first fragments that match the filter and deliver subsequent fragments with the same IP ID when they're received.

There is no workaround, other than doing the filtering yourself in the fashion described in the previous paragraph, and it's unlikely that this will be fixed any time soon.