Ethereal-users: Re: [Ethereal-users] Filter Question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Guy Harris" <guy@xxxxxxxxxxxx>
Date: Mon, 20 Oct 2003 10:12:20 -0700 (PDT)
Dinkar Bhat said:
> \How do I write a filter to obtain *all fragments* of IP packets for a
> certain host *and* port, and all unfragmented packets for the same host
> and port ?

It's impossible to write a capture filter that will do that, because
capture filters do not preserve any state between packets (the BPF engine
in various OSes that implements them does not support state of that sort),
and because only one fragment contains a given port number field).

Display filters don't support that, either, as the TCP/UDP/etc. headers
are shown only in the reassembled packet, which is constructed only for
the last frame of a reassembled IP packet.