views:

581

answers:

3

im now developing a project using winpcap..as i have known packets being sniffed are usually fragmented packets.

how to reassemble this TCP segements?..any ideas, suggestion or tutorials available?..

this i assume to be the only way i can view the HTTP header...

thanks!..

+2  A: 

There is no such thing as a TCP fragment. The IP protocol has fragments. TCP is a stream protocol. You can assemble the stream to its intended order by following the sequence numbers of both sides. Every TCP Packet goes to the IP level and can be fragmented there. You can assemble each packet by collecting all of the fragments and following the fragment offset from the header.
All of the information you need is in the headers. The wikipedia articles are quite useful in explaining what each field is

http://en.wikipedia.org/wiki/TCP_header#Packet_structure
http://en.wikipedia.org/wiki/IPv4#Header

shoosh
A: 

tcp is a byte stream protocol. the sequence of bytes sent by your http application is encapsulated in tcp data segments and the byte stream is recreated before the data is delivered to the application on the other side. since you are accessing the tcp datasegments using winpcap, you need to go to the data portion of the segment. the header of tcp has a fixed length of 20 bytes + an optional part which you need to determine using the winpcap api.

the length of data part in the tcp segment is determined by subtracting the tcp header length (obtained from a field in the tcp segment) and the ip header length (from a field in the ip datagram that encapsulates the tcp segment) from the total length (obtained from another field in the ip datagram).

so now you have the total segment length and the length of the data part within the segment. so you know offset where the http request data starts.

the offset is

total length-length of data part
or
length of ip-header + length of tcp header

i have not used winpcap. so you will have to find out how to get these fields using the api.

also ip datagrams may be further fragmented but i am expecting that you are provided only reassembled datagrams using this api. you are good to go!

iamrohitbanga
A: 

Depending on the whose traffic you're attempting to passively reassemble, you may run into some TCP obfuscation techniques designed to confuse people trying to do exactly what you're trying to do. Check out this paper on different operating system reassembly behaviors.

jdizzle