[Winpcap-users] TCP/IP stack reassembly
David Chang
dchang at fsautomation.com
Tue Aug 15 08:24:05 GMT 2006
Don't code it yourself, use libnids.
DC
----- Original Message -----
From: "Accounts" <accounts at sandmik.net>
To: <winpcap-users at winpcap.org>
Sent: Monday, August 14, 2006 11:37 PM
Subject: Re: [Winpcap-users] TCP/IP stack reassembly
> Dear David,
>
> Thank you for your reply.
>
> I was looking to see if there is already a way to do that (like the
> follow tcp stream of wireshark) instead of recoding things myself...
>
> Thanks.
>
>
> David Chang wrote:
>> Ralph,
>>
>> I'm sure that different implementations of TCP/IP have small differences
>> in the way they handle packets. However, for the vast majority of real
>> world situations, TCP/IP is well documented in RFC 791 & 793. In
>> addition, books like TCP/IP Illustrated by W. Richard Stevens cover the
>> protocol in great detail. Using these resources, one can write a TCP/IP
>> re-assembly engine. I don't think there is a "standard" implementation
>> (or algorithm) for re-assembly but rather a list of possible problem
>> packets to handle. Looking at the libnids website
>> (libnids.sourceforge.net), they mention a test suite that their
>> re-assembly engine passed (libnids.sourceforge.net/TESTS). Maybe you can
>> contact them to find out how they conducted their tests. Or, maybe you
>> can just use their engine.
>>
>> DC
>>
>> ----- Original Message ----- From: "Thomas O'Hare" <Tom at RedTile.Com>
>> To: <winpcap-users at winpcap.org>
>> Sent: Monday, August 14, 2006 3:50 PM
>> Subject: Re: [Winpcap-users] TCP/IP stack reassembly
>>
>>
>>> Ralph
>>>
>>> I will go out on a limb here and anyone else is free to jump in...
>>>
>>> The nature of TCP/IP is a "connection oriented" protocol. Which mean a
>>> real connection exists between 2 hosts. If the protocol stack is
>>> anywhere near what it should be, then if there are problems with packets
>>> the sending host is supposed to resend the problem data.
>>>
>>> So trying to recover and re-assemble packets seems to me to be
>>> defeating, or at least making a lot more work for something that is
>>> supposed to be done for you anyway by the stack.
>>>
>>> If I totally missed the boat, then please explain a little further.
>>>
>>> But it is late here, I am tired and so I am at a loss as to why you want
>>> to work so hard...
>>>
>>> Thanks,
>>> ~ Thomas O'Hare ~
>>> President, RedTile, Inc. - DBA: RedTile Software
>>> Web, Wireless, Network, Database & Systems Software
>>> +1.407.295.9148 ; +49.8651.717950 ; http://www.RedTile.Com/
>>> Operations Manager; Virtual FoxPro User Group
>>> Tom at VFUG.Org ; http://www.VFUG.Org/
>>>
>>>
>>> Accounts wrote:
>>>> Hi All,
>>>>
>>>> I believe this question was asked before without a clear answer. Is
>>>> there a definite or a standard way/library of reassembling the tcp/ip
>>>> stack from the sniffed packets?
>>>>
>>>> I wanted to write one myself but the biggest problem that I have
>>>> faced is debugging, is there a software out there that can simulate
>>>> sending packets on demand (like fragmented and oob...) so that it could
>>>> aid in the development and debugging of a code that does the
>>>> reassembly?
>>>>
>>>> Thank you all.
>>>> Ralph.
>>>> _______________________________________________
>>>> Winpcap-users mailing list
>>>> Winpcap-users at winpcap.org
>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>
>>
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
More information about the Winpcap-users
mailing list