Hi all,
Using Ethereal 0.10.3 at the moment.
I have some traces that involve UDP packets and IP fragmentation.
I turn on the feature:
Preferences->Protocols->IP->Reassemble fragmented IP datagrams
When I view my trace it lets me use display filter to match on
fields etc in the reassembled packet.
I now ideally want to be able to combine the two packets into
one packet and save to a new trace.
Unfortunately if I mark the 'reassembled' packet (easy to do
with a display filter and then 'Mark all packets')
When I do a 'save as' and include only marked packets, it
misses the first IP fragment and the new trace file thus has
packets that only includes the last fragment which then
has no UDP/TCP header which makes them almost useless to me.
Is there a way to easily mark all parts of a fragmented
datagram for future export/printing/saving etc?
As it's a fragmented packet I can match based only on the
src, dst + ipid but in my traces it will be a PITA to go through
150k packets to do this kind of marking manually.
Ethereal already does the reassembly just fine, and the display
shows me the original datagram - now I just want to get what I
see in the display into a separate capture file of a decent
manageable size and include only the particular UDP packets
I am interested in, including any fragments of said packets.
Any help appreciated - otherwise I'll be manually marking
packets for the next few days. :(
Thanks,
Tony
