|
TCP is a streaming protocol. This means it will
just take the data is has been given from the upper layer and transmit it to the
receiving end. The receiving end on it's turn just passes the traffic as a
stream towards the upper layer. It is the upper layer that is responsible for
reassembly of the data into it's PDU's.
Within wireshark, it's also the upper layer
dissectors telling the tcp dissector to fetch more data (ie use data from the
next packet in the tcp stream) to complete it's PDU for dissection.
For example, in HTTP/1.0, a Content-Length header
is used to tell the browser how much data to pull from the tcp stream to
complete the object (=PDU at HTTP layer). After that a new object can be
requested over the same tcp stream.
Hope this helps,
Cheers,
Sake
----- Original Message -----
Sent: Wednesday, December 16, 2009 10:27
PM
Subject: [Wireshark-users] tcp
reassembly
Hi
I am writing a sniffer but I couldnt understand some things about
tcp reassembly.
firstly I send a data via socket 5000 bytes. then tcpip
stack split into three tcp packets. but this is not ip fragmentation. I think
this is tcp segmentation.
but I can not understand when I will sniff this
packet How can I defragment this packet?
I need to understand when
finished 5000 bytes.
I will waiting your reply
thanks
___________________________________________________________________________
Sent
via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
| 