tcpdump mailing list archives
Reassembly.
From: Matthew Comb <mattyc () orcon net nz>
Date: Thu, 06 Feb 2003 17:57:54 -0500
Regarding reassembly,I notice if you get tcpdump to output the textual header also you get something like this.
10709:10941(232) which gives you the starting and ending byte range.Is this information available in the IP header / tcp header ? I am thinking about times when you have intercepted two files at once.
How do you go about pieceing them together to the correct stream?I see that there is an F flag for the final data send. I assume this is used, but do you generally use sequencenum, identification num or acknum at all?
A little help here would be appreciated. Kind regards, Matt. -- Matty C Sponsored by Orcon Internet NZ Ltd.
--- Begin Message --- From: Matthew Comb <mattyc () orcon net nz>
Date: Thu, 06 Feb 2003 11:18:37 -0500
Regarding reassembly,I notice if you get tcpdump to output the textual header also you get something like this.10709:10941(232) which gives you the starting and ending byte range.Is this information available in the IP header / tcp header ? I am thinking about times when you have intercepted two files at once.How do you go about pieceing them together to the correct stream?I see that there is an F flag for the final data send. I assume this is used, but do you generally use sequencenum, identification num or acknum at all?A little help here would be appreciated. Kind regards, Matt.
--- End Message ---
Current thread:
- Reassembly. Matthew Comb (Feb 06)