Hi list,
please consider for cvs
Attached is a new version of the defragment ip patch.Defragmentation is
controlled in preferences/ip/..
The patch only affect packet-ip.c which is attached.
Attached is also a tgz (see README) containing a handful of captures which
illustrates some detections of illegal fragments.
* Only fragments with correct checksum is added to the fragment list (bug
fix)
* Even if the packet has been defragmented, we will still check all further
fragments that
arrives for that packet (to see if someone is doing some stupid tricks
like overlaping fragments
and ttl==1 to a host >=1 hops beyond our segment)
* All fragments are checked for overlap and overlapping fragments will be
indicated with "ip.fragments.overlap"
* All overlaps where the overlap contains conflicting (different) data is
flagged with "ip.fragments.conflicting"
* When a fragment is detected which contains payload beyond the end of the
packet this is flagged
with "ip.fragments.toolongfragment"
* When there are multiple (>1) fragments which indicates last-fragment
(fragment-offset!=0 and MORE_FRAGMENTS flag NOT set)
this is flagged by "ip.fragments.multipletails"
* multiple-tails, overlap-conflict and too-long-fragmnet will also set
"ip.fragments.error" which is easier to use in a
display-filter.
enjoy,
ronnie sahlberg
Attachment:
captures.tgz
Description: application/compressed
Attachment:
packet-ip.c
Description: Binary data
