On Thu, 15 Feb 2001, David Frascone wrote:
> True. But I wasn't thinking straight. My senario is multiple *small*
> packets being grouped together by TCP, not huge streams being broken
> apart. So, the pseudo code would have worked, but only for multiple
> packets in a single TCP frame.
The "breaking up one big stream" is really the only way to deal with TCP
streams. Also, something I didn't see mentioned in this thread is that you
will need full state awareness of the TCP stream to do this the right
way. I sort of cheated with the follow TCP stream code. It does not check
things like window size, 3 way handshakes etc. It assumes a nice simple
flow which works most of the time. But if you want to use if for forensic
analysis after a hack attempt, you will find the tcp follow code
lacking. I always meant to add full TCP stream processing and state
information into Ethereal. I have not really had time. If someone does
decide to jump in and do this, we should talk. I have quite a few ideas
and some experience doing this in other systems. Just remember, you cannot
take the TCP packets and start parsing the contents without some serious
statetable work for both ends of the TCP conneciton as well as looking out
for duplicates and overlapping sequence space.
--Mike
--
+===================================================================+
| Mike Hall Real programmers dream in Java. |
| mlh@xxxxxx Linux rules! Everything else just works. |
+===================================================================+
| finger mlh@xxxxxx for public PGP key |
+===================================================================+
