Fill missing sements with zeros
20 views
Skip to first unread message
DanielAW
Mar 26, 2016, 6:12:18 AM3/26/16
to tcpflow-users
Hi,
I'm using tcpflow to extract TCP flows, which I then want to compare. Some fragements are missing in one of these pcap captures (Indicated by "TCP Previous segment not captured" in Wireshark).
In my experiments, tcpflow seems to fill up these missing fragments with zeros. This is a very useful feature in my case. Wireshark does not seem to do that if I try to export data with the "Follow TCP Stream" option.
I'm just wondering how it works in detail. How does tcpflow know the size of the missing fragment? Does it just use the size of the last fragment?
Regards Daniel
I'm using tcpflow to extract TCP flows, which I then want to compare. Some fragements are missing in one of these pcap captures (Indicated by "TCP Previous segment not captured" in Wireshark).
In my experiments, tcpflow seems to fill up these missing fragments with zeros. This is a very useful feature in my case. Wireshark does not seem to do that if I try to export data with the "Follow TCP Stream" option.
I'm just wondering how it works in detail. How does tcpflow know the size of the missing fragment? Does it just use the size of the last fragment?
Regards Daniel
DanielAW
Mar 26, 2016, 3:48:53 PM3/26/16
to tcpflow-users
Ok, I think I figured it out by myself:
Tcpdump acts as follows for the segment after the missing one:
- If it detects a missing frame, it first seeks the output file for the size of the current tcp data length (this is also how the zeros are generated)
- After this it writes the data of the current file to the output file
I'm currently not sure how tcpdump detects a missing segment.
Tcpdump acts as follows for the segment after the missing one:
- If it detects a missing frame, it first seeks the output file for the size of the current tcp data length (this is also how the zeros are generated)
- After this it writes the data of the current file to the output file
I'm currently not sure how tcpdump detects a missing segment.
Simson Garfinkel
Mar 26, 2016, 3:51:08 PM3/26/16
to tcpflo...@googlegroups.com, DanielAW
It doesn't detect missing segments. It just seeks to where the data are inserted for new segments.
--
You received this message because you are subscribed to the Google Groups "tcpflow-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tcpflow-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
DanielAW
Mar 26, 2016, 3:56:02 PM3/26/16
to tcpflow-users, santa....@gmail.com
Thanks for your reply :-)
But it checks if the current sequence number is the expected next sequence number right?
But it checks if the current sequence number is the expected next sequence number right?
Simson Garfinkel
Mar 26, 2016, 3:56:54 PM3/26/16
to tcpflo...@googlegroups.com, DanielAW
I don't remember. If it does, it is just checking that for statistical reporting.
DanielAW
Mar 26, 2016, 4:03:23 PM3/26/16
to tcpflow-users, santa....@gmail.com
OK, thanks again. I think this is ok for my purposes :-)
Reply all
Reply to author
Forward
0 new messages