Wireshark-dev: Re: [Wireshark-dev] How to handle duplicate fragments for a plugin written on to
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 7 Apr 2009 18:02:47 -0700

On Mar 25, 2009, at 6:13 PM, siri m wrote:

We have a legacy custom plugin (written on top of UDP), which handles multicast packets which may be fragmented, which works fine for normal scenarios. However, the plugin fails to decode for the cases where there can be duplicate fragments (for eg. one coming from the actual host and another one from a firewall). The fragments are exactly the same excepting that the ethernet source address is different.

Can someone give me pointers as to how we could handle this special case when re-assembling the fragments? Is there a way to ignore packets coming from the firewall?

Check the link-layer source address? It's a structure of type "address" (just "address", not "struct address") in pinfo->dl_src. That structure has, as its fields:

type - if it's a MAC-layer address for Ethernet or other 802.x or FDDI, it's AT_ETHER, but it's not *guaranteed* to be AT_ETHER unless you've captured it on an Ethernet/other 802.x/FDDI interface;

	len - the length of the address, in bytes;

	data - a pointer to "len" bytes of data.

On the other hand, if the fragments are identical except for the source MAC address, that presumably means that:

	the Ethernet destination address;

	the IP source and destination addresses;

	the UDP source and destination ports;

are identical, meaning that whatever process receives the packets will receive *both* packets, so whatever process receives the packets needs to handle the case of duplicate fragments (by "receives" I'm not referring to capturing traffic, I'm referring to receiving and processing the packets as regular input, i.e. the process to which the packets are *intended* to be sent). How does *it* handle that case?