[Oisf-devel] ip fragments
Victor Julien
victor at inliniac.net
Mon Jul 4 06:39:23 UTC 2011
On 07/03/2011 05:29 PM, chetan loke wrote:
> On Sat, Jul 2, 2011 at 3:05 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 07/01/2011 08:37 PM, chetan loke wrote:
>>> Hello,
>>>
>>> Quick question:
>>>
>>> Suricata decoders can handle ip-fragments that arrive out-of-order,correct?
>>>
>>> As long as the fragments(of the flow-tuple) get routed to the same
>>> socket we should be good, correct?
>>
>> Yes, thats right.
>
> Ok, then I will rely on MF and ip_id to detect matching fragments.
The final fragment doesn't have the MF set, but it does have a frag
offset > 0.
Cheers,
Victor
>
>> Victor Julien
>
> Chetan Loke
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list