Re: end of tcp stream .
- From: "Arkady Frenkel" <arkadyf@xxxxxxxxxxxxxxxx>
- Date: Sat, 30 Jul 2005 23:08:32 +0200
Oops, mea culpa , word "tcp" gone somehow ...
Arkady
"Roger Hunen" <rhunen@xxxxxxxxx> wrote in message
news:O6CsCk5kFHA.3828@xxxxxxxxxxxxxxxxxxxxxxx
> Sorry to say, but Arkady's reply does not lead anywhere near to a solution
> for the OP's problem. The DF/MF bits have nothing to do with it: these
> deal
> with IP-level fragmentation which will not happen in a normal TCP stream.
>
> The big problem here is that TCP has no concept of message boundaries:
> TCP is about octet streams. What the OP wants to achieve may therefore
> be easy or difficult depending on the situation. Let's have a look at a
> few:
>
> 1. The sender opens a TCP connection, sends the data and closes
> the connection.
>
> In this situation the end of the data is marked by a TCP segment with
> the FIN bit set. This is an easy one.
>
> 2. The sender opens a TCP connection, sends data, waits for a response
> from the receiver, sends more data, waits for another response, etc.
>
> In this situation packets with data from the sender are interleaved with
> packets containing response data from the receiver. Analyzing this data
> pattern is a common way to dissect unknown client-server data streams.
>
> Unfortunately this only works if the clients does not send another
> request
> to the server until it has received a response to the first request.
>
> 3. The sender opens a TCP connection, sens data, sends more data without
> waiting for a response from the other end, etc. or may send multiple
> (overlapped) request to the server before it has to wait for a response.
>
> In this situation you have no clue about the message boundaries unless
> you
> have knowledge about the communication protocol. Good generic sniffer
> programs have analyzer modules for many common application protocols.
>
> Regards,
> -Roger
>
>
> "Arkady Frenkel" <arkadyf@xxxxxxxxxxxxxxxx> wrote in message
> news:uekdJf4kFHA.1608@xxxxxxxxxxxxxxxxxxxxxxx
>> Look at controls flags ( DF/MF ) in
>> http://www.faqs.org/rfcs/rfc791.html
>> Arkady
>>
>> "Sharon" <Sharon669@xxxxxxxxxxx> wrote in message
>> news:OnOv7h2kFHA.3828@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hi all
>>>
>>> I'm a java/bv programmer sorry for my lack of Winsock knowledge (and
>>> lack of
>>> good English .)
>>>
>>>
>>>
>>> I had this task to implement a simple sniffer (C code using Winsock )
>>>
>>> searching the internet i found relatively simple code , and changed it
>>> successfully according to my needs .
>>>
>>>
>>>
>>> My problem is like that:
>>>
>>>
>>>
>>> I am monitoring data sent over the TCP protocol,
>>>
>>> The broadcasting station transmits different sizes of data, the problem
>>> I
>>> encountered was when sending 6000 bytes of data.
>>>
>>>
>>>
>>> This data is fragmented into 4 frames 1514 size each, between them I
>>> get
>>> ACK frames
>>>
>>> So I tried to count on the PUSH flag of TCP , but on the second frame -
>>> the
>>> PUSH flag is 1
>>>
>>>
>>>
>>> Professional sniffer shows something like :
>>>
>>>
>>>
>>> 1# frame 1514 PUSH = 0
>>>
>>> 2# frame 1514 PUSH = 1
>>>
>>> 3# frame 60 ACK
>>>
>>> 4# frame 60 ACK
>>>
>>> 5# frame 1514 PUSH = 0
>>>
>>> 6# frame 1514 PUSH = 1
>>>
>>> ..
>>>
>>>
>>>
>>>
>>>
>>> What I'm trying to understand is how do I know when is the end of the
>>> TCP
>>> data
>>>
>>> How do I know when to stop extracting data from the TCP frames and send
>>> the
>>> data to my host application (one level up)
>>>
>>>
>>>
>>> Thank you very much
>>>
>>> I will appreciate any help !
>>>
>>> Sharon
>>>
>>
>>
>
>
.
- Prev by Date: Re: end of tcp stream .
- Next by Date: Re: end of tcp stream .
- Previous by thread: Re: end of tcp stream .
- Next by thread: Re: end of tcp stream .
- Index(es):
Relevant Pages
|
