Re: tcp reassembly

[Chun Chan <chun_chan () ymail com>]

ok. I understand and thanks for answers.
Bu I have a only one qestion.
I write a simple code client/server example with using socket.
Server side is watitng to read 10000 bytes in while loop. Ans server side print a message after recv packet. like that 
"n bytes received." 
client side is sending 5000 bytes two times to server.

I hope server side is only one message "10.000 bytes received" but server side printed a message two times "5000 bytes 
received".
Then I analyze tcpip packet there is many packet 1400 bytes.
How understand socket when finish message? I want to do that thing with sniffer how socket did.
thanks




________________________________
From: Sake Blok <sake () euronet nl>
To: Community support list for Wireshark <wireshark-users () wireshark org>
Sent: Thu, December 17, 2009 12:13:26 AM
Subject: Re: [Wireshark-users] tcp reassembly

 
TCP is a streaming protocol. This means it will 
just take the data is has been given from the upper layer and transmit it to the 
receiving end. The receiving end on it's turn just passes the traffic as a 
stream towards the upper layer. It is the upper layer that is responsible for 
reassembly of the data into it's PDU's.
 
Within wireshark, it's also the upper layer 
dissectors telling the tcp dissector to fetch more data (ie use data from the 
next packet in the tcp stream) to complete it's PDU for dissection.
 
For example, in HTTP/1.0, a Content-Length header 
is used to tell the browser how much data to pull from the tcp stream to 
complete the object (=PDU at HTTP layer). After that a new object can be 
requested over the same tcp stream.
 
Hope this helps,
Cheers,
     Sake
 
----- Original Message ----- 
> From: Chun Chan 
> To: wireshark-users () wireshark org 
> Sent: Wednesday, December 16, 2009 10:27 
>  PM
> Subject: [Wireshark-users] tcp 
>  reassembly
>
>
> Hi
> I am writing a sniffer but I couldnt understand some things about 
>  tcp reassembly.
> firstly I send a data via socket 5000 bytes. then tcpip 
>  stack split into three tcp packets. but this is not ip fragmentation. I think 
>  this is tcp segmentation.
> but I can not understand when I will sniff this 
>  packet How can I defragment this packet? 
> I need to understand when 
>  finished 5000 bytes.
> I will waiting your reply
> thanks
________________________________
> ___________________________________________________________________________
> Sent 
>  via:    Wireshark-users mailing list 
>  <wireshark-users () wireshark org>
> Archives:    
> http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: 
> https://wireshark.org/mailman/options/wireshark-users
>             
>  mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe