11

I'm looking for a sample code for IP packet reassembly in C with libpcap*. Is IP packet defragmentation implemented in libpcap library officially? I've found this proposal : http://www.mail-archive.com/tcpdump-workers@lists.tcpdump.org/msg02991.html[this][1] .

Are there any implementation of defragmentation of IP packets.

[1]: http://www.mail-archive.com/tcpdump-workers@lists.tcpdump.org/msg02991.html [+]

*The reason for looking for the sample code is just for fun and learning and i don't want to spend too much time for writing code for IP packet reassembly.

badp
  • 11,409
  • 3
  • 61
  • 89
systemsfault
  • 15,207
  • 12
  • 59
  • 66
  • bountied. looking for pretty the same thing. OP, @systemsfault, any progress you can share?;) – kagali-san Nov 19 '10 at 03:58
  • @mhambra, see libnids's code it seems to use libpcap. Actually I left the project over and don't look it again, so i have no other suggestion other than the tsg's suggestion. – systemsfault Nov 22 '10 at 09:31

3 Answers3

9

No, I'm pretty sure that the patch didn't make into libpcap. But you can do ip defragmentation (and also follow TCP streams) with libnids.

tsg
  • 2,007
  • 13
  • 12
  • tsg,libnids uses raw unix sockets but i need an implementation with libpcap. Because i'm trying to learn libpcap and trying to build an experimental application with it. lwip also has packet reassembly/defragmentation feature. – systemsfault Feb 01 '10 at 06:59
  • After a brief look in the libnids code, it seems that it does use libpcap. See for example nids_pcap_handler(). – tsg Feb 02 '10 at 00:34
  • 1
    after brief look, I can say yes it uses pcap; but not for reassembly.To reassembly it seems to use raw sockets, see the source code of ip_fragment.c . – systemsfault Nov 22 '10 at 09:40
1

If you're looking for a tool that does IP reassembly you can checkout IPDefragUtil. You can also check out out IP reassembly source code here and here

seladb
  • 852
  • 1
  • 13
  • 29
0

Libpcap is a library to capture raw link-layer packets; it is intended to be used by programs and libraries that do their own processing of those packets, including IP fragment reassembly, etc.. Therefore, it does not, and will not ever, do IP reassembly; that belongs in a separate library.