Wireshark · Ethereal-dev: Re: [Ethereal-dev] Reassembling TCP segments

Ethereal-dev: Re: [Ethereal-dev] Reassembling TCP segments

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Thu, 01 Dec 2005 12:16:11 -0800

DRZOIDBERG@xxxxxxxx wrote:

Actually I'm writing an application which tries to retrieve all the HTTPpackets transported into TCP packets. This TCP packets are oftenfragmented, forming different segments associated to the whole TCPpacket. I think I can't use a filter to directly obtain the HTTPpackets, thus, I have to reassemble TCP segments by myself. First ofall, I notice that TCP segments should be reassembled using its sequencenumbers, which link up the segments. I also know how works this kind offragmentation, where the next sequence number expected is obtainedadding the payload length of the segment to the current sequence number.Now, I have some doubts:
* I don't know how to know what TCP segment is the first one of thechain of segments which forms a packet.


For HTTP:

the very first data segments, in each direction, of the entire TCPconnection are the first segments in an HTTP request or response;

you then process, according to the HTTP 1.1 specification, the requestor response, until you get to the end;

the next byte in the flow is the first byte of the next request orresponse.

Note that I said "next byte in the flow" - there is *NO* guarantee thatan HTTP request or response begins at the beginning of a TCP segment.TCP doesn't supply to protocols running atop it any notion of "packets";it supplies a notion of a sequenced byte stream, and it's entirely theresponsibility of the protocol running atop TCP to divide the datastream into packets.


I.e., there's no such thing as a "TCP packet"; there are only TCP segments.

* I don't know what to decide if a TCP segment is the last one of asequence of segments. I notice that an acknowledgement for the lastsegment would be used for this purpose, but If I haven't got thisacknowledgment, I don't know when the TCP packet finishes.

As I said, there's no such thing as a "TCP packet"; you can't tell,purely from using information in a TCP header, where HTTP requests startor end. Acknowledgements are *NOT* used to indicate whether a TCPsegment is the start or end of a packet for a protocol running atop TCP;they're used *solely* by TCP to indicate that it has received a segment.

In fact, there's no guarantee that an HTTP request starts at thebeginning of a TCP segment or ends at the end of a TCP segment.

You will have to process the HTTP requests or responses yourself to seewhere they end.

References:
- [Ethereal-dev] Reassembling TCP segments
  - From: DRZOIDBERG@xxxxxxxx

Prev by Date: SV: [Ethereal-dev] Dissection of Diameter Credit Control Application
Next by Date: [Ethereal-dev] ASN2ETH extended with remote-operations
Previous by thread: Re: [Ethereal-dev] Reassembling TCP segments
Next by thread: Re: [ethereal-dev] MATE simple config file makes Ethereal Version0.10.13-SVN-16623 crashes under win32
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$