TCP Reconstruction(C ,libpcap,linux)

kalps · 03-23-2009, 12:27 AM

Hello all,

How to reassemble tcp packets of a particular HTTP session? How can I know the number of tcp packets /session? I tried capturing HTTP packets but dint know where to find these details in the packet....

Any help is appreciable..

Thanks in advance

unSpawn · 03-23-2009, 07:17 PM

Quote:

Originally Posted by kalps

How to reassemble tcp packets of a particular HTTP session?

In Wireshark (formerly ethereal) "follow stream" or whatever it's called these days?

kalps · 03-24-2009, 01:41 AM

Thanku unspawn.
I have heard about wireshark.I am trying to develop a network analyser tool by myself using libpcap and C. This tcp reconstruction is one feature of it.As such I cant use another tool for this purpose.

Can you help me with some tips of how to use libpcap for reconstruction? I dint get great info on googling this topic.

I basically want to know how to approach this reconstruction..Can anyone help me???

chakka.lokesh · 03-24-2009, 02:06 AM

try analyzing the sequence and acknowledge numbers.

kalps · 03-25-2009, 08:51 AM

Thank you Chakka
I see http request as a single packet and http response comes as 2 or more packets(mostly 2). From which i infer dat the response packets 1 an 2.. had the same seq and ack number. Otherwise seq number of packet 1 will be the ack num of packet 2.Am i right.I don know any more to add..

Can you be specific r can u suggest some material for HTTP/TCP reconstruction??

chakka.lokesh · 03-26-2009, 12:16 AM

did u gone through RFC 793 ?