#31 IPv4 and IPv6 fragment reassembly for ngrep 1.45

open
nobody
None
5
2007-06-18
2007-06-18
Jan Andres
No

This patch adds the "-r" option to ngrep, which will cause it to reassemble any fragmented IPv4 and IPv6 packets before attempting to match and display them.

It will also dump packets in reassembled form using -O, but note that in this case a DLT_RAW pcap file will be written and the original layer-2 headers will not be retained.

Also note that the pcap filter expression is still evaluated before reassembly, so care must be taken to use a filter that includes fragments, e.g. "... or ip[6:2] & 0x1fff != 0' for IPv4, and "... or ip6[6] = 44" for IPv6.

The patch includes the "ipreasm" code which I plan to make available as a standalone library in the future.

Discussion

  • Jan Andres
    Jan Andres
    2007-06-18

    Patch which adds IP fragment reassembly to ngrep 1.45