On Thu, 1 Dec 2005, DRZOIDBERG@xxxxxxxx wrote:
>
> Hello,
>
> Actually I'm writing an application which tries to retrieve all the
> HTTP packets transported into TCP packets.
In Ethereal you would use filter expression: http
> This TCP packets are often
> fragmented, forming different segments associated to the whole TCP
> packet. I think I can't use a filter to directly obtain the HTTP
> packets, thus, I have to reassemble TCP segments by myself.
In Ethereal helper functions are available to help with the reassembly of
TCP and higher layer protocols
> First of
> all, I notice that TCP segments should be reassembled using its sequence
> numbers, which link up the segments. I also know how works this kind of
> fragmentation, where the next sequence number expected is obtained
> adding the payload length of the segment to the current sequence
> number. Now, I have some doubts:
>
> * I don't know how to know what TCP segment is the first one of the
> chain of segments which forms a packet.
>
> * I don't know what to decide if a TCP segment is the last one of a
> sequence of segments. I notice that an acknowledgement for the last
> segment would be used for this purpose, but If I haven't got this
> acknowledgment, I don't know when the TCP packet finishes.
>
> * I don't know how to know if a TCP packet corresponds to another one
> (i.e., when can I know if a TCP packet is a segment of a whole TCP
> packet)
Maybe you should take Ethereal and have a look at how such flows actually
look like. Select a TCP packet and choose "Follow TCP stream". Then play
with the TCP dissectors option "Allow subdissector to reassemble". Read
about reassembly in the developer manual. Then look into the
epan/dissectors/packet-tcp.c code to get an idea how it's done (it's not
easy). Now you have to figure out a framework to put this all in for your
application. If you really need such application, you may want to consider
http://www.effetech.com/sniffer/
Cheers,
Jaap
