Apolgies,
I set my message settings to digest so I didn't get the individual mail to
reply to. Can you reply to your message on the board and so I'll now
receive it in my mail and a single mail (rather than part of the digest, I
new to mailing lists like this, sorry!)?
Anyway yes that helps in so far as it gets rid of all non-HTTP packets but
there are times when I need the TCP packets. I'm not entirely sure if I
need each one or just the ones that come as part of the standard protocol
packets (POP, HTTP etc). In this app I parse instant messages, email (web
and pop) and http stuff. I'll investigate my code base and figure out if
I reall do need to those single tcp packets (quite probable I don't).
Thanks,
JP
On Thu, 23 Oct 2008 12:54:20 +0100, John Paul Sheridan
<johnpaul.sheridan@xxxxxxxxx> wrote:
Hi all,
First time post.
I'm developing a java based app that uses tshark as the underlying
capture mechanism. I set up tshark and set capture filters and output
the data in PDML format (which is captured via stdin in my Java app and
parsed via SAX).
I've created a stream manager that holds stream objects. Each stream
contains all packets belonging to the communication between a client and
server i.e. each packet sent between the client/server for any one TCP
Stream.
For the purpose of this mail I'm targetting HTTP.
I capture all TCP packets and add them to the appropriate stream. When
I come across a HTTP message I add this to the same stream. In my
capture file that I use for testing I have HTTP request and HTTP
response. So the first 3 packets are those of the TCP handshake (SYN,
SYN_ACK and ACK). The fourth packet would normally be the HTTP request
but due to the fact the segments are split up and then reassembled I
actually have four extra TCP packets that I don't need (yes I know they
are needed but I only want the reassembled one). Here are some packet
details
Handshake
---------
1. SYN from Client
2. SYN_ACK from Server
3. ACK from Client
Extra packets
-------------
4. RST_ACK from Client
5. ACK from Client (TCP segment of a reassembled PDU)
6. ACK from Client (TCP segment of a reassembled PDU)
7. PSH_ACK from Client (TCP segment of a reassembled PDU)
HTTP Request
------------
8. PSH_ACK HTTP Request from Client (POST method)
From what I understand that PDUs can be split across segments for two
main reasons:
1. Some packets are missing (not in my case)
2. Size of info based on segment means it has to be split
I need the fact wireshark can reassemble the data into another packet so
I'm not willing to turn reassembly off.
I dont want to see the extra TCP segment packets in my PDML stream, only
the reassembled ones. Is there a filter (capture or display) that I can
set with t-shark to omit the segment packets from my PDML stream
(remember I use Wireshark for visual analysis of the data but tshark in
my java app?
Thanks in advance,
JP
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/