Wireshark-users: Re: [Wireshark-users] tcp reassembly
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Dec 2009 15:13:17 -0700



On Dec 16, 2009, at 2:51 PM, Martin Visser wrote:


Your "protocol" needs to convey this information - there is nothing in TCP that knows when the SDU (Service Data Unit) is carrying is finished. Basically you have two options. Either your protocol (that defines that those 5000 bytes is a Protocol Data Unit) needs to provide a header (indicating at least the length) OR a trailer, that has some sort of a delimiter (say a NULL character or CRLF) that indicates your PDU is finished. Together this is basically known as framing, by which you indicate the begin and end of your data units.

Regards, Martin

MartinVisser99@xxxxxxxxx


On Thu, Dec 17, 2009 at 8:27 AM, Chun Chan <chun_chan@xxxxxxxxx> wrote:
Hi
I am writing a sniffer but I couldnt understand some things about tcp reassembly. firstly I send a data via socket 5000 bytes. then tcpip stack split into three tcp packets. but this is not ip fragmentation. I think this is tcp segmentation. but I can not understand when I will sniff this packet How can I defragment this packet?
I need to understand when finished 5000 bytes.
I will waiting your reply

Additionally, refer to section 2.7 ("Reassembly/desegmentation for protocols running atop TCP.") of doc/README.developer in the source tree. Future questions about dissector creation are best sent to wireshark-dev@xxxxxxxxxxxxx mailing list after subscribing, even though a number of us are on both lists.


Steve