Re: tcp reassembly

[Stephen Fisher <steve () stephen-fisher com>]

On Dec 16, 2009, at 2:51 PM, Martin Visser wrote:

> Your "protocol" needs to convey this information - there is nothing  
> in TCP that knows when the SDU (Service Data Unit) is carrying is  
> finished. Basically you have two options. Either your protocol (that  
> defines that those 5000 bytes is a Protocol Data Unit) needs to  
> provide  a header (indicating at least the length) OR a trailer,  
> that has some sort of a delimiter (say a NULL character or CRLF)  
> that indicates your PDU is finished. Together this is basically  
> known as framing, by which you indicate the begin and end of your  
> data units.
>
> Regards, Martin
>
> MartinVisser99 () gmail com
>
>
> On Thu, Dec 17, 2009 at 8:27 AM, Chun Chan <chun_chan () ymail com>  
> wrote:
> Hi
> I am writing a sniffer but I couldnt understand some things about  
> tcp reassembly.
> firstly I send a data via socket 5000 bytes. then tcpip stack split  
> into three tcp packets. but this is not ip fragmentation. I think  
> this is tcp segmentation.
> but I can not understand when I will sniff this packet How can I  
> defragment this packet?
> I need to understand when finished 5000 bytes.
> I will waiting your reply

Additionally, refer to section 2.7 ("Reassembly/desegmentation for  
protocols running atop TCP.") of doc/README.developer in the source  
tree.  Future questions about dissector creation are best sent to wireshark-dev () wireshark org 
  mailing list after subscribing, even though a number of us are on  
both lists.


Steve

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe