On Oct 13, 2009, at 9:05 PM, Abhijit Bare wrote:
Does tcpdump capture IP fragments by default - when I do not specify
any
filter at all?
Yes, as long as, for example, the network adapter doing the capturing
isn't doing its own IP reassembly, tcpdump (and any other application
using libpcap/WinPcap, e.g. Wireshark/TShark) will, if no filter is
specified, capture all arriving packets not dropped by the capture
mechanism due to the application not processing packets fast enough.
This includes IP fragments. (If a filter *is* specified, it might not
capture IP fragments - a fragment such as "port N", for some value of
N, won't capture IP fragments other than the first fragment, as the
TCP or UDP header, with the port number, will only be in the first
fragment.)
If that's not happening (as I suspect it is, otherwise you probably
wouldn't be asking this question), there's some other problem. Are
you not seeing IP fragments?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
