tcpdump mailing list archives

Re: TCP stream decoding

From: Hannes Gredler <hannes () juniper net>
Date: Wed, 25 Dec 2002 18:55:58 +0100

On Mon, Dec 16, 2002 at 04:34:34PM -0800, Guy Harris wrote:
| On Sun, Dec 15, 2002 at 09:06:21PM +0100, Hannes Gredler wrote:
| > have there been efforts [or thoughts, or even some code ;-)]
| > for putting together the TCP stream and expose it it higher-level
| > dissectors [aka stateful decoding] ?
| 
| None that I know of in tcpdump.  Ethereal supports it, but it requires
| both support in the TCP dissector and in subdissectors (as only they
| know where higher-level PDUs begin and end).
| 
| > i am wondering about the feasibility of such an project,
| > while still preserving tcpdumps small footprint;
| 
| Hmm.  Given that tcpdump is strictly one-pass, it's a bit of a simpler
| problem than in Ethereal - it could discard saved data from previous TCP
| segments once it hands the reassembled data to the higher-level
| dissector.

guy,

i was thinking about a special DLT_ format to solve that problem:

i.e. 1. use tcpdump -i -w <file1> to capture a set of pcakets;
     2. use tcpdump -r <file1> -w <file2> -<TBD> to write all the re-sequenced
        data belonging to a single stream and write it to a <file2> using that
        special e.g. DLT_STREAM format
     3. use tcpdump -r <file2>; in the printer selection call straight into
        the higher level protocols [print-telnet,print-http,print-smtp,print-ldp]
 
in the higher level protocols we could place content extractors etc.
and/or hook in third party decoders [ethereal] etc. b/c such a 
middle layer processing would make life much more easier for any
higher level dissectors;

---

the whole idea deviates from the notion that an entry in a libpcap file actually refers
to a packet; now it can also be a stream or a set of streams;

the data found in DLT_STREAM should be generic enough to encode a stream of bytes
indep. of the underlying protocol [OSI,IPv4,IPV6,L2 etc ...]

this would also give us the possibility to implement functions like [decode-as]
as ethereal does it today; using an option -<TBD2>

any thoughts, suggestions would be highly appreciated;

/hannes

| Note, for what it's worth, that Ethereal currently doesn't handle
| out-of-order TCP segment delivery.  I don't know how much more
| complicated that'd make it.

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

TCP stream decoding Hannes Gredler (Dec 15)
- Re: TCP stream decoding Guy Harris (Dec 16)
  - Re: TCP stream decoding Hannes Gredler (Dec 25)