Ethereal-dev: Re: [Ethereal-dev] TCP reconstruction WAS:[Another Stupid Question]
On Thu, 15 Feb 2001, David Frascone wrote:
> > The "breaking up one big stream" is really the only way to deal with TCP
> > streams. Also, something I didn't see mentioned in this thread is that you
> > will need full state awareness of the TCP stream to do this the right
> > way. I sort of cheated with the follow TCP stream code. It does not check
> > things like window size, 3 way handshakes etc. It assumes a nice simple
> > flow which works most of the time. But if you want to use if for forensic
> > analysis after a hack attempt, you will find the tcp follow code
> > lacking. I always meant to add full TCP stream processing and state
> > information into Ethereal. I have not really had time. If someone does
> > decide to jump in and do this, we should talk. I have quite a few ideas
> > and some experience doing this in other systems. Just remember, you cannot
> > take the TCP packets and start parsing the contents without some serious
> > statetable work for both ends of the TCP conneciton as well as looking out
> > for duplicates and overlapping sequence space.
> >
>
> So, there *is* a way to do it with Ethereal? Is there a dissector that already
> does it, or could you point me at the functions that would give me one
> contiguous block?
>
Look at follow.c. This code is not a dissector, and no dissector uses
it. But it is the _start_ of code you could use to reassemble a
stream. Right now I think it handles out of order TCP packets, and
duplicates. The only thing it does with the payload is put it in the
display window and allow you to look at it. You could modify this to dump
the data into a buffer, but you would have to make it a sliding window
type of buffer. The stream could be huge. Think FTP and 2G files. :)
This is something that needs to be added at a architecture level and not
just to one dissector. Although I guess if it was made to work in one
dissector, then anyone could work on making it more general and move it
to a higher level.
--Mike
--
+===================================================================+
| Mike Hall Real programmers dream in Java. |
| mlh@xxxxxx Linux rules! Everything else just works. |
+===================================================================+
| finger mlh@xxxxxx for public PGP key |
+===================================================================+