[Winpcap-users] Parsing TCP packets
guy at alum.mit.edu
Mon Jun 18 07:34:03 GMT 2007
ceo at triplebit.com wrote:
> I have 2 questions -
> 1. I need to interpret TCP packets, identify HTTP requests (the one with
> the "GET" string) and process them.
> Is there some reference for a similar code?
> 2. I see inside Ethereal dump file, packets containing the info " TCP
> packets of reassembeled PDU", and they all refer to some
> following frame.
> a. Do they all belong this frame?
"Belong to" in what sense?
That dump file contains frames that contain TCP segments, and,
apparently, at least some of those TCP segments contain parts of a
higher-level packet for some protocol, and that packet isn't completely
contained in any of those TCP segments. (I'm assuming none of those TCP
segments are fragmented by IP fragmentation.)
The frame in question is probably the frame containing the
chronologically last TCP segment; if Ethereal (or, as it's now called,
Wireshark) successfully reassembled the higher-level packet, it would be
displayed if you clicked on that frame.
However, there's nothing special about that frame, other than it
happening to be the last frame in the capture containing data from that
> b. Reading the samples with packets processing WinPcap loop, would
> they all be condidered as a single packet in the loop?
Each link-layer frame would be considered a single packet in the loop.
Higher-level packets, such as the one in your capture file, would *NOT*
be considered a single packet in the loop. (This is by design and intent.)
More information about the Winpcap-users