I have everything so far working better then expected. Ip4Analyzer is working, its not done yet, but all the mundane "package" details for analysis are in place and now the actual analyzers are the easy part.
Here is output from 4 Ip fragments. Not reassembled yet, but already analyzed and prepared for reassembler:
Ip: ******* Ip4 - "ip version 4" - offset=14 (0xE) length=20 Ip: Ip: version = 4 Ip: hlen = 5 [5 * 4 = 20 bytes, No Ip Options] Ip: diffserv = 0x0 (0) Ip: 0000 00.. = [0] code point: not set Ip: .... ..0. = [0] ECN bit: not set Ip: .... ...0 = [0] ECE bit: not set Ip: length = 1280 Ip: id = 0x23D (573) Ip: flags = 0x2 (2) Ip: 0.. = [0] reserved Ip: .1. = [1] DF: do not fragment: set Ip: ..0 = [0] MF: more fragments: not set Ip: offset = 555 [555 * 8 = 4440 bytes] Ip: ttl = 254 [time to live] Ip: type = 17 [ip fragment of udp PDU] Ip: checksum = 0x4AAF (19119) Ip: source = 131.151.1.146 Ip: destination = 131.151.32.21 Ip: Ip: *** Fragment Sequence analysis *** Ip: Status: all fragments found Ip: Frame #0: offset= 0-1479, len=1500, dts=0.00 us, flags=[DF, MF] Ip: Frame #1: offset=1480-2959, len=1500, dts=457.00 us, flags=[DF, MF] Ip: Frame #2: offset=2960-4439, len=1500, dts=193.00 us, flags=[DF, MF] Ip: Frame #3: offset=4440-5699, len=1280, dts=85.00 us, flags=[DF]
I am very happy with how this is working out. I will finish the Ip4 and tcp analyzers and reassemblers this weekend.
PS: I will be increasing the timestamp resolution to nano seconds. This is a little mute with Pcap since both libpcap live capture and offline captures only support micro second resolution.