Wireshark-dev: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Fo
From: Selçuk Cevher <cevhers@xxxxxxxxx>
Date: Fri, 14 Aug 2009 09:58:23 +0300
Does Wireshark run a specific sorting algorithm when reconstructing a TCP stream ?

If this is the case, it seems to me that, especially for long connections, the task of sorting all the packets of the connection based on the sequence numbers may be very costly.

On Thu, Aug 13, 2009 at 10:31 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Aug 12, 2009, at 11:52 PM, Selçuk Cevher wrote:

> On the other hand, the development guide also says that a single TCP
> segment can carry multiple application messages at the same time.
>
> In this case, it can not be assumed that "the message header is at
> the start of your TCP payload". Does it mean that there might be
> multiple application layer headers in the payload of this single TCP
> segment, and each application header may start from an arbitrary
> location depending on the message size ?

Yes.

If a TCP segment with multiple application layer packets in it has, at
the beginning, the header of the first of those packets,
tcp_dissect_pdus() will handle that - it'll call the packet dissector
multiple times, once for each of the full packets in that segment.

If the last packet in the segment is continued in the next segment,
tcp_dissect_pdus() will start reassembly of that packet, so that when
tcp_dissect_pdus() is called with the next segment, it will continue
reassembly of that packet.

The only case tcp_dissect_pdus() doesn't handle is the one where the
first captured segment in the capture starts with something *other*
than the header of a packet; that would require that it be possible to
identify PDU headers heuristically and that it scan forward looking
for the first PDU header.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe