Ethereal-users: [Ethereal-users] Problem following TCP Streams with Fragmented Packets
Hi, I wondered if anyone can help with this problem.
I am capturing packets from an Ethernet LAN carrying GTP. The GTP tunnel contains TCP/IP data (typically FTP). Because of the GTP overhead, the GTP packets are too large for the Ethernet LAN, so the Ethernet layer fragments each GTP packet into two. Ethereal decodes the packets correctly, describing the first fragment of a pair as "FTP Data" and the second fragment as "fragmented IP protocol". Now when I select one of the "FTP data" fragments and try to follow the TCP stream, all I get in the 'Contents of TCP Stream' window is the contents of the selected fragment. Meanwhile, the Ethernet window shows only all the first fragments of each pair ("FTP Data")of packets in the stream, all the second fragments are not displayed. (I assume this is because the display filter created by Ethereal uses port numbers which are not present in the second "fragmented IP protocol" fragments.
Is there any way of following the entire stream, or of setting the display filter to include the *relevant* fragments?
Best regards, Mike
Mike Thackray
Nokia Networks
mike.thackray@xxxxxxxxx