简体繁体 English

重新组合碎片UDP数据包

[英]Reassembling fragmented UDP packet

原文 2013-08-29 23:22:05 4 1 c#/ ip/ packets/ fragmentation/ sharppcap

I have a pcap of various types of traffic over 802.11 (wifi) over udf. 我通过udf在802.11（wifi）上有各种类型的流量。 The udp (or more precisely IP) fragments the wifi packets due to the MTU. 由于MTU，udp（或更准确地说是IP）将wifi数据包分段。 I am currently using SharpPcap to read in and try and access the wifi traffic and am running into the issue of having to manually reassemble the udp packets. 我目前正在使用SharpPcap读入并尝试访问wifi流量，并且遇到了必须手动重新组装udp数据包的问题。

I see two options, and I want to check if they are possible, the best solutions or if there is something I'm overlooking. 我看到两个选项，我想检查它们是否可能，最好的解决方案或者是否有我忽视的东西。 Ultimately I will be accessing a live feed (same format, wifi over UDP) streamed to me over UDP (the one preciously mentioned), but for testing purposes I have to play with pcaps. 最终，我将访问通过UDP流式传输给我的实时源（相同格式，UDP上的wifi）（一个很有名的），但出于测试目的，我必须使用pcaps。

I can either manually load the pcap file, reassemble it by fragment offset and packet id, having a state machine keeping track of all packets. 我可以手动加载pcap文件，通过片段偏移和数据包ID重新组装，让状态机跟踪所有数据包。 Or I can try and avoid reassembly, (I figure the socket should do it for me) load the pcap file, output to a raw socket on localhost, and listen to a UDP socket on the localhost. 或者我可以尝试避免重新组装，（我认为套接字应该为我做）加载pcap文件，输出到localhost上的原始套接字，并监听localhost上的UDP套接字。 I am avoiding the first until really necessary (is it?) and the second seems like it should work but doesn't. 我正在避免第一次，直到真的有必要（是吗？）而第二次似乎应该有效但不是。 I have all that set up, but the packets still get send and received one by one, as byte arrays - and fragmented. 我已经设置了所有这些，但数据包仍然作为字节数组逐个发送和接收 - 并且碎片化。

Could this be because the IP layer still contains the original captured IP dest address and port (which is different)? 这可能是因为IP层仍然包含原始捕获的IP地址和端口（不同）？ I tried changing these prior to sending, although I didn't change the checksum, and it still came through fragmented. 我尝试在发送之前更改这些，虽然我没有更改校验和，但它仍然是碎片化的。

1 个解决方案

Ran into your old question searching for a solution to my own problem defragmenting. 进入你的旧问题，寻找解决我自己的问题碎片整理的方法。

The way I understand it - since you're doing packet capture / pcap reading, you have to defragment the IP packets yourself. 我理解它的方式 - 因为你正在进行数据包捕获/ pcap读取，你必须自己对IP数据包进行碎片整理。 If you were an actual application communicating on the network, the IP stack of your OS would do this for you, and you could read the data as is. 如果您是在网络上进行通信的实际应用程序，则操作系统的IP堆栈将为您执行此操作，您可以按原样读取数据。 But packet capture happens before this reassembly. 但是在重新组装之前发生了数据包捕获。 What you're seeing is packets as they travel on the wire (or in the air in your case). 您所看到的是数据包在线路上传输（或在您的情况下在空中传播）。

Defragmenting is in theory relatively easy - the IP packets that have the same ID, source/destination IP address, and protocol type, belong together. 碎片整理在理论上相对容易 - 具有相同ID，源/目标IP地址和协议类型的IP数据包属于一起。 The first packet will have a fragmentation offset of 0 and the "More fragments" field set to 1. The next packets (if any) will have "More fragments" set to 1, and a nonzero offset. 第一个数据包的碎片偏移量为0，“更多碎片”字段设置为1.下一个数据包（如果有）将“更多碎片”设置为1，并且非零偏移量。 The final packet will have a nonzero offset and no "More fragments" set. 最终数据包将具有非零偏移并且不设置“更多片段”。

Get rid of duplicates somehow, order them by offset. 以某种方式摆脱重复，按偏移量排序。 The payload of each packet goes into the final buffer at packet.fragmentationOffset*8. 每个数据包的有效负载进入packet.fragmentationOffset * 8的最终缓冲区。 It is also trivial to calculate the final packet size using this information. 使用此信息计算最终数据包大小也很简单。

A more thorough explanation can be found here: http://en.wikipedia.org/wiki/IPv4#Reassembly 可以在此处找到更全面的解释： http ： //en.wikipedia.org/wiki/IPv4#Reassembly

I know you have probably moved on a long time ago, but perhaps this could help someone else searching for the same information. 我知道你很久以前就已经搬家了，但也许这可以帮助其他人搜索相同的信息。