Wireshark-dev: Re: [Wireshark-dev] How to handle duplicate fragments for a plugin written on to
On Mar 25, 2009, at 6:13 PM, siri m wrote:
We have a legacy custom plugin (written on top of UDP), which
handles multicast packets which may be fragmented, which works fine
for normal scenarios. However, the plugin fails to decode for the
cases where there can be duplicate fragments (for eg. one coming
from the actual host and another one from a firewall). The fragments
are exactly the same excepting that the ethernet source address is
different.
Can someone give me pointers as to how we could handle this special
case when re-assembling the fragments? Is there a way to ignore
packets coming from the firewall?
Check the link-layer source address? It's a structure of type
"address" (just "address", not "struct address") in pinfo->dl_src.
That structure has, as its fields:
type - if it's a MAC-layer address for Ethernet or other 802.x or
FDDI, it's AT_ETHER, but it's not *guaranteed* to be AT_ETHER unless
you've captured it on an Ethernet/other 802.x/FDDI interface;
len - the length of the address, in bytes;
data - a pointer to "len" bytes of data.
On the other hand, if the fragments are identical except for the
source MAC address, that presumably means that:
the Ethernet destination address;
the IP source and destination addresses;
the UDP source and destination ports;
are identical, meaning that whatever process receives the packets will
receive *both* packets, so whatever process receives the packets needs
to handle the case of duplicate fragments (by "receives" I'm not
referring to capturing traffic, I'm referring to receiving and
processing the packets as regular input, i.e. the process to which the
packets are *intended* to be sent). How does *it* handle that case?