[Winpcap-users] TCP/IP stack reassembly

David Chang dchang at fsautomation.com
Tue Aug 15 00:12:43 GMT 2006


I'm sure that different implementations of TCP/IP have small differences in 
the way they handle packets.  However, for the vast majority of real world 
situations, TCP/IP is well documented in RFC 791 & 793.  In addition, books 
like TCP/IP Illustrated by W. Richard Stevens cover the protocol in great 
detail.  Using these resources, one can write a TCP/IP re-assembly engine. 
I don't think there is a "standard" implementation (or algorithm) for 
re-assembly but rather a list of possible problem packets to handle. 
Looking at the libnids website (libnids.sourceforge.net), they mention a 
test suite that their re-assembly engine passed 
(libnids.sourceforge.net/TESTS).  Maybe you can contact them to find out how 
they conducted their tests.  Or, maybe you can just use their engine.


----- Original Message ----- 
From: "Thomas O'Hare" <Tom at RedTile.Com>
To: <winpcap-users at winpcap.org>
Sent: Monday, August 14, 2006 3:50 PM
Subject: Re: [Winpcap-users] TCP/IP stack reassembly

> Ralph
> I will go out on a limb here and anyone else is free to jump in...
> The nature of TCP/IP is a "connection oriented" protocol.  Which mean a
> real connection exists between 2 hosts.  If the protocol stack is
> anywhere near what it should be, then if there are problems with packets
> the sending host is supposed to resend the problem data.
> So trying to recover and re-assemble packets seems to me to be
> defeating, or at least making a lot more work for something that is
> supposed to be done for you anyway by the stack.
> If I totally missed the boat, then please explain a little further.
> But it is late here, I am tired and so I am at a loss as to why you want
> to work so hard...
> Thanks,
> ~ Thomas O'Hare ~
> President, RedTile, Inc. - DBA: RedTile Software
> Web, Wireless, Network, Database & Systems Software
> +1.407.295.9148 ; +49.8651.717950 ; http://www.RedTile.Com/
> Operations Manager; Virtual FoxPro User Group
> Tom at VFUG.Org ; http://www.VFUG.Org/
> Accounts wrote:
>> Hi All,
>>    I believe this question was asked before without a clear answer. Is
>> there a definite or a standard way/library of reassembling the tcp/ip
>> stack from the sniffed packets?
>>    I wanted to write one myself but the biggest problem that I have
>> faced is debugging, is there a software out there that can simulate
>> sending packets on demand (like fragmented and oob...) so that it could
>> aid in the development and debugging of a code that does the reassembly?
>>    Thank you all.
>>    Ralph.
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

More information about the Winpcap-users mailing list