Wireshark · Ethereal-dev: [ethereal-dev] TCP reconstruction

Ethereal-dev: [ethereal-dev] TCP reconstruction

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Mike Hall <mlh@xxxxxx>

Date: Mon, 14 Sep 1998 01:55:47 -0500 (CDT)

Well, here it is. First let me say I am sorry. I planned on delivering a
better product to you guys, but I don't have time for the next couple of
weeks. 

BAD THINGS:

o There is no filtering of the telnet control codes and this generally
makes the begining and end of the stream look bad.

o Because I was looking at getting a telnet/rsh/other filter setup, I am
currently writing the TCP data from the stream to a file in /tmp. This is
very bad for several reasons, including a big security problem. I do read
it in right away and then delete it, but its still not the "Right way
(TM)"

o I have only tried this on reading files saved with tcpdump -w. I don't
think it will work on live capture, but mostly because of the way you tell
it to follow the stream.

o I did very little testing because I am crunched for time. It seems to
work for all the capture files I have here. But, I did not test this well
at all.

o I use a global to store current packet information. I was lazy and
trying to get this working. I have not fixed this yet.

GOOD THINGS:

o It will reconstuct the TCP streams.

o It handles out of order TCP packets.

o It handles fragmented TCP (resent TCP with longer payload)

o The reconstruct code is very well commented.


HOW TO USE:

Load up your pcap file using File->Load.
Click on a packet in a TCP stream you wish to view.
Click Tools->Follow TCP Stream.

A (libpcap) filter will be constructed and used to re-read the capture
file. Only the packets in the stream will be visible on the packet list. A
popup text box will display the data payload from the stream. 

The filter is erased right after it finishes the re-read, so all you need
to do to see the full capture file is do a File->Open again.

THINGS TO DO: 

o We need a telnet, 3270, rsh, and any other filter you guys think we
might need. If we process the TCP payload through these filters, we should
get nice human readable text from the streams.

o Clean the code up. Sorry about this one.


Anyway, let me know what your guys think. Drop me a line if you have any
questions.

--Mike

+===================================================================+
| Mike Hall               Real programmers dream in Java.           |
| mlh@xxxxxx          Linux rules! Everything else just works.      |
+===================================================================+
|             finger mlh@xxxxxx for public PGP key                  |
+===================================================================+

Attachment: ethereal-0.3.15.tcp.diff.gz
Description: Binary data

Prev by Date: [ethereal-dev] network object names
Next by Date: Re: [ethereal-dev] network object names
Previous by thread: Re: [ethereal-dev] network object names
Next by thread: [ethereal-dev] Changes to ethereal 0.3.15
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$