Selçuk Cevher a écrit : > Hi All, > > I am new to Wireshark development and, at this stage, mostly > interested in inner workings of Wireshark. > > First, I want to make sure that what I currently know about Wireshark > is correct. > > In section 9.4.2 "How to reassemble split TCP Packets" of Wireshark's > development guide, I saw that an application layer message can be > carried in a single TCP packet or multiple ones. > > If there are multiple TCP packets carrying an application protocol > message, the application protocol's header is contained only in the > first TCP packet - The remaining packets have application data only. > > In this case, to properly dissect application layer message, split TCP > packets should be first reassembled. That's why tcp_dissect_pdus() is > used. > > On the other hand, the development guide also says that a single TCP > segment can carry multiple application messages at the same time. > > In this case, it can not be assumed that "the message header is at the > start of your TCP payload". Does it mean that there might be multiple > application layer headers in the payload of this single TCP segment, > and each application header may start from an arbitrary location > depending on the message size ? Yes.
Here is a sequence of application messages : |header||data.......||header||data.......||header||data.......||header||data.......||header||data.......| With TCP, you can receive them like these examples : |packet...............||packet...............||packet...............||packet...............||packet...............| |packet..........................................................................................................................| |packet..........................................||packet...............||packet...............||packet...............| |packet......||packet.........................................................................................||packet....| |packet..||packet......||packet...........................................................................................| etc ... Olivier > > My second issue is "Follow TCP Stream" command. > > How does this command relate to the reassembly of split TCP packets or > tcp_dissect_pdus() ? > > The implementation of "Follow TCP Stream" command should be more > complicated since it should cover handling the dropped, duplicated and > out-of-order TCP packets. > > How does Wireshark handle this issues ? Where is the implementation of > "Follow TCP Stream" command in the source tree ? > > I will really appreciate any help on this in terms of comments, > documents, URLs, etc. > > Thanks. > ------------------------------------------------------------------------ > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
