Wireshark-dev: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Fo

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Aug 2009 10:18:37 -0600

On Aug 13, 2009, at 12:52 AM, Selçuk Cevher wrote:

The implementation of "Follow TCP Stream" command should be more complicated since it should cover handling the dropped, duplicated and out-of-order TCP packets.

How does Wireshark handle this issues ? Where is the implementation of "Follow TCP Stream" command in the source tree

Take a look at gtk/follow_stream.c for the shared GUI portion of each of the follow types (TCP, UDP, SSL). gtk/follow_tcp.c contains a good portion of the follow TCP implementation. epan/follow.[ch] contains the rest of the code for following streams. As you predicted, the TCP following logic is a lot more complicated than say the UDP. You might want to start there to understand the ideas better before jumping into TCP or SSL.


Steve