[Winpcap-users] TCP/IP stack reassembly
dchang at fsautomation.com
Tue Aug 15 08:24:05 GMT 2006
Don't code it yourself, use libnids.
----- Original Message -----
From: "Accounts" <accounts at sandmik.net>
To: <winpcap-users at winpcap.org>
Sent: Monday, August 14, 2006 11:37 PM
Subject: Re: [Winpcap-users] TCP/IP stack reassembly
> Dear David,
> Thank you for your reply.
> I was looking to see if there is already a way to do that (like the
> follow tcp stream of wireshark) instead of recoding things myself...
> David Chang wrote:
>> I'm sure that different implementations of TCP/IP have small differences
>> in the way they handle packets. However, for the vast majority of real
>> world situations, TCP/IP is well documented in RFC 791 & 793. In
>> addition, books like TCP/IP Illustrated by W. Richard Stevens cover the
>> protocol in great detail. Using these resources, one can write a TCP/IP
>> re-assembly engine. I don't think there is a "standard" implementation
>> (or algorithm) for re-assembly but rather a list of possible problem
>> packets to handle. Looking at the libnids website
>> (libnids.sourceforge.net), they mention a test suite that their
>> re-assembly engine passed (libnids.sourceforge.net/TESTS). Maybe you can
>> contact them to find out how they conducted their tests. Or, maybe you
>> can just use their engine.
>> ----- Original Message ----- From: "Thomas O'Hare" <Tom at RedTile.Com>
>> To: <winpcap-users at winpcap.org>
>> Sent: Monday, August 14, 2006 3:50 PM
>> Subject: Re: [Winpcap-users] TCP/IP stack reassembly
>>> I will go out on a limb here and anyone else is free to jump in...
>>> The nature of TCP/IP is a "connection oriented" protocol. Which mean a
>>> real connection exists between 2 hosts. If the protocol stack is
>>> anywhere near what it should be, then if there are problems with packets
>>> the sending host is supposed to resend the problem data.
>>> So trying to recover and re-assemble packets seems to me to be
>>> defeating, or at least making a lot more work for something that is
>>> supposed to be done for you anyway by the stack.
>>> If I totally missed the boat, then please explain a little further.
>>> But it is late here, I am tired and so I am at a loss as to why you want
>>> to work so hard...
>>> ~ Thomas O'Hare ~
>>> President, RedTile, Inc. - DBA: RedTile Software
>>> Web, Wireless, Network, Database & Systems Software
>>> +1.407.295.9148 ; +49.8651.717950 ; http://www.RedTile.Com/
>>> Operations Manager; Virtual FoxPro User Group
>>> Tom at VFUG.Org ; http://www.VFUG.Org/
>>> Accounts wrote:
>>>> Hi All,
>>>> I believe this question was asked before without a clear answer. Is
>>>> there a definite or a standard way/library of reassembling the tcp/ip
>>>> stack from the sniffed packets?
>>>> I wanted to write one myself but the biggest problem that I have
>>>> faced is debugging, is there a software out there that can simulate
>>>> sending packets on demand (like fragmented and oob...) so that it could
>>>> aid in the development and debugging of a code that does the
>>>> Thank you all.
>>>> Winpcap-users mailing list
>>>> Winpcap-users at winpcap.org
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
More information about the Winpcap-users