tcpdump mailing list archives
Re: TCP/UDP Data Streams - Packet Reassembly
From: samuel () udel edu
Date: Thu, 19 Dec 2002 13:23:09 -0500 (EST)
No one has mentioned this yet, so here it is: Provided that the dump contains the data portion of the TCP PDU (protocol data unit) you can extract the traffic that was sent over TCP during a connection. UDP is a stateless protocol and so to have any reassembly take place regarding UDP you would have to reconstruct the upper layer protocol information and work with that. TCP is a connection-oriented protocol and so each PDU is given a sequence number. Time and dates are not normally included in UDP and TCP packets and IP almost NEVER uses any sort of dating information. If you collect data, be SURE that you can extract the date information from the upper layer protocols (such as SMTP or HTTP) or reliably date your tcpdump. Finally, the best place to get technical information on TCP and UDP is to look at the associated RFCs (Request for Comments) which define TCP and UDP format and behavior. There is also an excellent book by Siemens which talks about TCP and related protocols and gives quick PDU format diagrams in the front. Note that to get the data portion from the tcpdump, you must set your snap length to the link-layer MTU or greater and include the -X flag in the program. :-) Ethereal is a very nice program that "knows" about upper layers and is free and quite well maintained! It also has plugins for other transport layer protocols such as SCTP. Hope this helps some! I would suggest grabbing and expert on transport layer protocols and tapping their mind for some of the finer details involved. Dumps (regardless of program) can be interesting depending on the networking context. Sam On Thu, 19 Dec 2002, Susan Chan Lee wrote:
Anyone know where to obtain information of re-assembling TCP/UDP data streams. I mean I have captured data using Tcpdump (i.e. raw data), how to I recombine the data into the orginal word attachment (or like)? Cannot seem to find any information anywhere on the technical involved in this. Thanks Susan Chan Lee Security Associates - Singapore ************************************************************* Advanced Hands-On Security in the Arabic Gulf DefensiveHacking and DefensiveForensics, Qatar January 2003 www.securityassoc.com/DefensiveCourse.pdf ************************************************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- TCP/UDP Data Streams - Packet Reassembly Susan Chan Lee (Dec 18)
- Re: TCP/UDP Data Streams - Packet Reassembly Guy Harris (Dec 18)
- RE: TCP/UDP Data Streams - Packet Reassembly Joe Elliott (Dec 18)
- RE: TCP/UDP Data Streams - Packet Reassembly Simon Patarin (Dec 18)
- RE: TCP/UDP Data Streams - Packet Reassembly Joe Elliott (Dec 18)
- Re: TCP/UDP Data Streams - Packet Reassembly Richard Sharpe (Dec 18)
- Re: TCP/UDP Data Streams - Packet Reassembly samuel (Dec 20)
- Re: Re: TCP/UDP Data Streams - Packet Reassembly Guy Harris (Dec 20)
- packet direction capture Iain McAleer (Dec 21)
- Re: Re: TCP/UDP Data Streams - Packet Reassembly Guy Harris (Dec 20)
- <Possible follow-ups>
- Re: TCP/UDP Data Streams - Packet Reassembly Guy Harris (Dec 20)
- Re: TCP/UDP Data Streams - Packet Reassembly Richard Sharpe (Dec 27)
- Re: TCP/UDP Data Streams - Packet Reassembly Guy Harris (Dec 18)