Ethereal-users: RE: [Ethereal-users] Saving reassembled IP packets?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Biot Olivier <Olivier.Biot@xxxxxxxxxxx>
Date: Tue, 13 Apr 2004 15:27:29 +0200
Hi Tony,

[Ccing Ethereal-Dev as a FYI (ToDo list item :)]

See answers in-line.

Regards,

Olivier

|-----Original Message-----
|From: Tony Frank
|
|Hi all,
|
|Using Ethereal 0.10.3 at the moment.
|
|I have some traces that involve UDP packets and IP fragmentation.
|I turn on the feature:
|Preferences->Protocols->IP->Reassemble fragmented IP datagrams
|
|When I view my trace it lets me use display filter to match on
|fields etc in the reassembled packet.
|I now ideally want to be able to combine the two packets into
|one packet and save to a new trace.
|
|Unfortunately if I mark the 'reassembled' packet (easy to do
|with a display filter and then 'Mark all packets')
|When I do a 'save as' and include only marked packets, it 
|misses the first IP fragment and the new trace file thus has
|packets that only includes the last fragment which then
|has no UDP/TCP header which makes them almost useless to me.

This is the behavior of Ethereal today. Ethereal will accumulate packets (in
fact, parts of packets) until the "message" has been reassembled. Then only,
the reassembled body will be offered to a higher-level dissector if
applicable. This means that if packets 2 and 5 contain the 2 fragments of a
fragmented IP datagram which conveys say UDP traffic, Ethereal will only
flag packet 5 as UDP.

|Is there a way to easily mark all parts of a fragmented 
|datagram for future export/printing/saving etc?

Not today. It is not easy to implement either (we need to keep information
on the protocol hierarchy, as for an UDP datagram spanning 3 fragmented IP
datagrams running on top of Ethernet we do want all 3 packets to match "udp"
but only the dedicated packet(s) to match an IP or Ethernet (or even
lower-level) protocol display filter.

|As it's a fragmented packet I can match based only on the
|src, dst + ipid but in my traces it will be a PITA to go through
|150k packets to do this kind of marking manually.

True.

|Ethereal already does the reassembly just fine, and the display
|shows me the original datagram - now I just want to get what I 
|see in the display into a separate capture file of a decent
|manageable size and include only the particular UDP packets 
|I am interested in, including any fragments of said packets.

You can try the following however: type "ip.reassembled_in || ip.fragment"
to get all packets that are IP fragments. You can then mark all packets that
match this display filter, and save those matching packets to a file.

Another possibility is to look for the reassembled packet in question, and
then write a display filter like: "ip.reassembled_in == 1234 || frame.number
== 1234" if the interesting REASSEMBLED packet is 1234. You could for
instance first look for the interesting REASSEMBLED packets, mark all those,
print the marked packets as summary to a file, then extract the packet
numbers (1st column), and construct a display filter "ip.reassembled_in ==
XXX || frame.number == XXX" for every packet you printed the summary. You
can then try to paste the combined display filter in the filter box at the
bottom of the Ethereal window (on one line). Your filter expression looks
like:

	"ip.reassembled_in == 1234 || frame.number == 1234
	|| ip.reassembled_in == 5678 || frame.number == 5678"

(on one line).

Then apply the display filter, and select "Save As" and only save the
packets that match your display filter.

|Any help appreciated - otherwise I'll be manually marking
|packets for the next few days. :(

Hopefully the "workarounds" provided will relieve you from some work
though...

Regards,

Olivier