[Winpcap-users] Parsing TCP packets

Guy Harris guy at alum.mit.edu
Mon Jun 18 07:34:03 GMT 2007

ceo at triplebit.com wrote:
> I have 2 questions -
> 1. I need to interpret TCP packets, identify HTTP requests (the one with 
> the "GET" string) and process them.
> Is there some reference for a similar code?

Wireshark. :-)

> 2. I see inside Ethereal dump file, packets containing the info " TCP 
> packets of        reassembeled PDU", and they all refer to some 
> following frame.
>    a. Do they all belong this frame?

"Belong to" in what sense?

That dump file contains frames that contain TCP segments, and, 
apparently, at least some of those TCP segments contain parts of a 
higher-level packet for some protocol, and that packet isn't completely 
contained in any of those TCP segments.  (I'm assuming none of those TCP 
segments are fragmented by IP fragmentation.)

The frame in question is probably the frame containing the 
chronologically last TCP segment; if Ethereal (or, as it's now called, 
Wireshark) successfully reassembled the higher-level packet, it would be 
displayed if you clicked on that frame.

However, there's nothing special about that frame, other than it 
happening to be the last frame in the capture containing data from that 
higher-level packet.

>    b. Reading the samples with packets processing WinPcap loop, would 
> they all be condidered as a single packet  in the loop?

Each link-layer frame would be considered a single packet in the loop. 
Higher-level packets, such as the one in your capture file, would *NOT* 
be considered a single packet in the loop.  (This is by design and intent.)

More information about the Winpcap-users mailing list