handling tcp retransmissions with libpcap

[Andy Coates <andy () bribed net>]

Hello,

I've been trying to read some tcp payloads from a dump file
generated by tcpdump.  Everything has been going smoothly until
I encounter tcp segment losses and tcp retransmissions.

Now i'm no coding genius nor do I understand the ins and out of
tcp headers enough to be able to develop a solution myself, so
i'm hoping there are some routines out there already that can
aid me, or some easy reading on how to do it myself.

Basically I started off with the sniffer.c source code and 
the tcpdump.org pcap tutorial, and have worked on building my
program from that.  So all the necessary structures are available
to me:

  ethernet = (struct sniff_ethernet*)(packet);
  ip = (struct sniff_ip*)(packet + size_ethernet);
  tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
  payload = (u_char *)(packet + size_ethernet + size_ip + size_tcp);

My problem (as discovered using ethereal to analyse the dump) is
that a few packets are getting lost/retransmitted, and I've no idea
how to tell that is happening from the basic information available
to me, so I see (in ethereal):

        [TCP Previous segment lost]
        [TCP Dup ACK 17#1]
        [TCP Retransmission]
        [TCP Retransmission]

Now if I can identify what a bad packet is and ignore it, and then
find the correct retransmitted packet, I can get the correct payload
I was looking for I presume.

All pcap examples I've seen so far ignore this problem occuring so
I haven't seen an example way of doing it yet.

Can anyone help?

Thanks,
Andy.

-- 
n: Andy Coates                         e: andy () bribed net
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.