Wireshark-users: Re: [Wireshark-users] tcp reassembly

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Chun Chan <chun_chan@xxxxxxxxx>
Date: Wed, 16 Dec 2009 22:41:43 -0800 (PST)
ok. I understand and thanks for answers.
Bu I have a only one qestion.
I write a simple code client/server example with using socket.
Server side is watitng to read 10000 bytes in while loop. Ans server side print a message after recv packet. like that "n bytes received."
client side is sending 5000 bytes two times to server.

I hope server side is only one message "10.000 bytes received" but server side printed a message two times "5000 bytes received".
Then I analyze tcpip packet there is many packet 1400 bytes.
How understand socket when finish message? I want to do that thing with sniffer how socket did.
thanks

From: Sake Blok <sake@xxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Thu, December 17, 2009 12:13:26 AM
Subject: Re: [Wireshark-users] tcp reassembly

TCP is a streaming protocol. This means it will just take the data is has been given from the upper layer and transmit it to the receiving end. The receiving end on it's turn just passes the traffic as a stream towards the upper layer. It is the upper layer that is responsible for reassembly of the data into it's PDU's.
 
Within wireshark, it's also the upper layer dissectors telling the tcp dissector to fetch more data (ie use data from the next packet in the tcp stream) to complete it's PDU for dissection.
 
For example, in HTTP/1.0, a Content-Length header is used to tell the browser how much data to pull from the tcp stream to complete the object (=PDU at HTTP layer). After that a new object can be requested over the same tcp stream.
 
Hope this helps,
Cheers,
     Sake
 
----- Original Message -----
From: Chun Chan
Sent: Wednesday, December 16, 2009 10:27 PM
Subject: [Wireshark-users] tcp reassembly

Hi
I am writing a sniffer but I couldnt understand some things about tcp reassembly.
firstly I send a data via socket 5000 bytes. then tcpip stack split into three tcp packets. but this is not ip fragmentation. I think this is tcp segmentation.
but I can not understand when I will sniff this packet How can I defragment this packet?
I need to understand when finished 5000 bytes.
I will waiting your reply
thanks

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe