Ethereal-dev: Re: [Ethereal-dev] Filtering MMS packets
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
Victor Vicente wrote:
I know what port is used in the MMSC (MMS Center). Thus, I can filter
the traffic using a BPF filter like this: "tcp and port xxxx". But I've
a little trouble because sometimes MMS packets are fragmented, and the
result of the filtering application are a set of TCP fragmented packets.
These packets must be assembled into HTTP packets (just because MMS
packets are build in the body of HTTP operations (POST & GET)). My
question is the following: can I filter these assembled packets
directly, or should I have to assemble by myself?
If the fragmentation is at the HTTP-over-TCP layer - i.e., if it's a
large HTTP POST or GET that's sent over a TCP connection, and split into
TCP segments by the TCP code - then they're all going to be TCP segments
going to or from the MMSC's TCP port, and a filter expression such as
"tcp port xxxx" (which generates the same code as "tcp and port xxxx")
will match all of the packets.
If the fragmentation is at the IP layer, only the first fragment will be
matched by that filter - but IP-layer fragmentation is rare with TCP
(with path MTU discovery, it should be possible for TCP to avoid it
completely).
However, once you've filtered the packets, libpcap will deliver them as
individual TCP segments; you would have to reassemble them yourself if
you want an MMS message in a single unit.
