Wireshark · Wireshark-dev: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect

Wireshark-dev: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Fo

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>

Date: Thu, 13 Aug 2009 10:18:37 -0600


On Aug 13, 2009, at 12:52 AM, Selçuk Cevher wrote:

The implementation of "Follow TCP Stream" command should be morecomplicated since it should cover handling the dropped, duplicatedand out-of-order TCP packets.
How does Wireshark handle this issues ? Where is the implementationof "Follow TCP Stream" command in the source tree

Take a look at gtk/follow_stream.c for the shared GUI portion of eachof the follow types (TCP, UDP, SSL). gtk/follow_tcp.c contains a goodportion of the follow TCP implementation. epan/follow.[ch] containsthe rest of the code for following streams. As you predicted, the TCPfollowing logic is a lot more complicated than say the UDP. You mightwant to start there to understand the ideas better before jumping intoTCP or SSL.



Steve

References:
- [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Follow TCP Stream" command
  - From: Selçuk Cevher

Prev by Date: Re: [Wireshark-dev] Wireshark-dev Digest, Vol 39, Issue 22
Next by Date: Re: [Wireshark-dev] Wireshark-dev Digest, Vol 39, Issue 22
Previous by thread: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Follow TCP Stream" command
Next by thread: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Follow TCP Stream" command
Index(es):
- Date
- Thread