Wireshark mailing list archives
Re: tcp reassembly
From: Chun Chan <chun_chan () ymail com>
Date: Wed, 16 Dec 2009 22:41:43 -0800 (PST)
ok. I understand and thanks for answers. Bu I have a only one qestion. I write a simple code client/server example with using socket. Server side is watitng to read 10000 bytes in while loop. Ans server side print a message after recv packet. like that "n bytes received." client side is sending 5000 bytes two times to server. I hope server side is only one message "10.000 bytes received" but server side printed a message two times "5000 bytes received". Then I analyze tcpip packet there is many packet 1400 bytes. How understand socket when finish message? I want to do that thing with sniffer how socket did. thanks ________________________________ From: Sake Blok <sake () euronet nl> To: Community support list for Wireshark <wireshark-users () wireshark org> Sent: Thu, December 17, 2009 12:13:26 AM Subject: Re: [Wireshark-users] tcp reassembly TCP is a streaming protocol. This means it will just take the data is has been given from the upper layer and transmit it to the receiving end. The receiving end on it's turn just passes the traffic as a stream towards the upper layer. It is the upper layer that is responsible for reassembly of the data into it's PDU's. Within wireshark, it's also the upper layer dissectors telling the tcp dissector to fetch more data (ie use data from the next packet in the tcp stream) to complete it's PDU for dissection. For example, in HTTP/1.0, a Content-Length header is used to tell the browser how much data to pull from the tcp stream to complete the object (=PDU at HTTP layer). After that a new object can be requested over the same tcp stream. Hope this helps, Cheers, Sake ----- Original Message -----
From: Chun Chan To: wireshark-users () wireshark org Sent: Wednesday, December 16, 2009 10:27 PM Subject: [Wireshark-users] tcp reassembly Hi I am writing a sniffer but I couldnt understand some things about tcp reassembly. firstly I send a data via socket 5000 bytes. then tcpip stack split into three tcp packets. but this is not ip fragmentation. I think this is tcp segmentation. but I can not understand when I will sniff this packet How can I defragment this packet? I need to understand when finished 5000 bytes. I will waiting your reply thanks
________________________________
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tcp reassembly Chun Chan (Dec 16)
- Re: tcp reassembly Martin Visser (Dec 16)
- Re: tcp reassembly Stephen Fisher (Dec 16)
- Re: tcp reassembly Sake Blok (Dec 16)
- Re: tcp reassembly Chun Chan (Dec 16)
- Re: tcp reassembly Guy Harris (Dec 17)
- Re: tcp reassembly Chun Chan (Dec 17)
- Re: tcp reassembly Chun Chan (Dec 16)
- Re: tcp reassembly Martin Visser (Dec 16)