Ethereal-dev: Re: [Ethereal-dev] TCP reconstruction WAS:[Another Stupid Question]

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: David Frascone <dave@xxxxxxxxxxxx>
Date: Thu, 15 Feb 2001 10:47:52 -0600
> The "breaking up one big stream" is really the only way to deal with TCP
> streams. Also, something I didn't see mentioned in this thread is that you
> will need full state awareness of the TCP stream to do this the right
> way. I sort of cheated with the follow TCP stream code. It does not check
> things like window size, 3 way handshakes etc. It assumes a nice simple
> flow which works most of the time. But if you want to use if for forensic
> analysis after a hack attempt, you will find the tcp follow code
> lacking. I always meant to add full TCP stream processing and state
> information into Ethereal. I have not really had time. If someone does
> decide to jump in and do this, we should talk. I have quite a few ideas
> and some experience doing this in other systems. Just remember, you cannot
> take the TCP packets and start parsing the contents without some serious
> statetable work for both ends of the TCP conneciton as well as looking out
> for duplicates and overlapping sequence space.
> 

So, there *is* a way to do it with Ethereal?  Is there a dissector that already
does it, or could you point me at the functions that would give me one
contiguous block?