This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP stream reconstruction

0

Hello,

I have a program that parses and extracts the pcap information and I'm trying toreassemble the TCP session. The WS method is:

void reassemble_tcp(int tcp_stream, long sequence, long acknowledgement, int dataLength, byte[] data, int capturedDataLength, boolean synflag, Address sourceIp, Address destinationIp, int srcport, int dstport, long packet_num) The problem is one or both 2 lengths. They seem to change names in the code and it's hard to follow.

It seems that the first length argument is the segment length calculated by subtracting the header lengths from reported length.

-I calculate the reported length as long reported_len=getIpTotalLength()-getIpHeaderLength(); and that does match most of the time the WS segment length but not all the times.

-The other length that is called data_length in the signature I calculate using dataStartOffset = packetHeaderSize + ETHERNET_HEADER_LENGTH + getIpHeaderLength()+tcpHeaderLength; and then dataLength =packet length - dataStartOffset;// where packetLength includes the packetHeaderSize.

I need help understanding how these lengths differ and if my formulas are fine.

I get all the other metadata (like header lengths etc) and they match the WS but my calculations for the these 2 lengths seem to match in most cases but not all. I've been struggling for quite a while trying to find answer.Need to find if my formulas are wrong and if so what are the proper formulas.

Thank you in advance, Adrian

asked 26 Jul '15, 20:51

adriannuix's gravatar image

adriannuix
6224
accept rate: 0%