Re: Getting mbuf length
Re: Getting mbuf length
- Subject: Re: Getting mbuf length
- From: Josh Graessley <email@hidden>
- Date: Wed, 19 Nov 2008 14:01:59 -0500
On Nov 19, 2008, at 1:55 PM, Vincent Lubet wrote:
On Nov 19, 2008, at 8:13 AM, Mitchell Laurren-Ring wrote:
How do you know that you are not seeing the entire IP packet when
you copy the mbuf? Is the more fragments flag set in the IP header?
Wireshark tells me that the packet is broken into two pieces. This
particular packet is an HTTP request. I need to find the "Host:"
part near the end and it doesn't show up in the first half of the
packet.
Is the more fragments flag in the ip_off field?
Yes, it is.
I think you will find there is no IP fragmentation but rather that
the HTTP request is simply too big to fit is a single IP packet.
Remember that the job of IP protocol is to packetize higher level
protocol like UDP, TCP, HTTP, FTP and so on. An IP filter that wants
to parse application level protocols like HTTP needs to be prepared
to deal with all the protocol details of IP, TCP and HTTP.
You may find better luck filtering at the socket layer, where you will
get access to the TCP data after it has been reassembled in to a
stream. You won't have to contend with IP or TCP headers, just the TCP
payload. You may still have to deal with part of a request coming in
one chunk of payload and the remainder of the requesting coming in a
second chunk in a second callback.
-josh
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden