###############################################################################
# Big Packet! 
#	Search for packets that are larger then 65535. While writing this
# I uncovered alot of quirks in the way certain OS's handle fragmented
# ICMP packets.  Some OS's set the reserved fragment flag, when they
# shouldn't.  I've incorporated appropriate work arounds in this module. 
#
#	-sili@l0pht.com
###############################################################################


the_schema= library_schema:new( 1, [ "time","ip","ip","int","str"],
		scope() );

filter IPeverywhere ip()
{
	$offset = ((long(eth.blob,4)) & 0x1fff) << 3 ;
	$flags = long(eth.blob,4) >> 12;
	$hlen = ((byte(eth.blob,0)) & 0x0f) * 4;
	$proto = library_ipproto:getsname(ip.protocol);

	if ( ($flags == 4) || ($flags == 0) || ($flags == 1)
		|| ($flags == 5) ) #Last Fragment set 
		{
		$size=($offset + ip.len);
		if ($size >= 65535)	#Max (legal) packet size=65535
			{ 
			record system.time, ip.src, ip.dst,
			$size, $proto to the_recorder;
			}
		}
}

the_recorder=recorder("bin/histogram packages/test/bigpacket.cfg", 
	"the_schema");