• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 508
  • Last Modified:

pcap data capture

Hi,

How does the pcap library handle TCP out-of-order packets? Does it put them back into the right order or does it just deliver the packets in the order it arrives?

Assuming it's the latter, how would you go about putting them back in the right order?
0
PMembrey
Asked:
PMembrey
  • 5
  • 5
  • 2
1 Solution
 
shajithchandranCommented:
I think TCP should handle the reordering.. thats what TCP is meant for.
0
 
PMembreyAuthor Commented:
I would agree if this was a normal socket - the data read would be in order - after all, that's the whole point of TCP. However if I'm listening on the wire, presumably pcap will pass me packets as it sees them, out of order or not.

Wireshark definitely shows them, but I don't know if this is for reference (i.e. network debugging) or whether or not it actually makes a difference.
0
 
shajithchandranCommented:
I not sure what is pcap, but if its an application that sits on top of TCP stack, then it need not worry about packet ordering.. the TCP layer will do it. From an application point of view, the data will come in order.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
Infinity08Commented:
pcap provides packet sniffing. It receives packets as they are received on the network interface, so if packets arrive out of order, then that's how pcap will see them.

However, the TCP stack on the machine will take care of asking for re-transmits, and those re-transmits should also show up while sniffing. So, it would just be a matter of ignoring the out-of-order packets, and waiting for the re-transmitted packets as necessary.

On the other hand, I'm not really sure why you need this ... Could you clarify what exactly you are trying to do ? Maybe there's a better way of doing things ?
0
 
PMembreyAuthor Commented:
At the moment I capture all the traffic in Wireshark, select a packet of interest and then tell it to "Follow TCP stream" and then save as raw to a file. From there I can analyse the data in the stream to help me debug my client and server combo.

However to speed things up, I would like to have a simple little app that does the same thing as Wireshark, except it just does it in one go rather than me having to go through all the steps above.

Wireshark when told to follow the stream will sort out the out-of-order packets, but a direct pcap session (as expected) does not. So, I would like to solve this particular problem :-)
0
 
Infinity08Commented:
What the "Follow TCP Stream" does, is filter out all packets that belong to the given TCP stream (based on source and destination IP addressed and ports).

If you want to make it easier to do a series of operations, maybe what you're after is tshark with proper command-line options.

For example, to get just one stream, you could do something like :

        tshark -r in.pcap -R "ip.addr==1.2.3.4 && tcp.port==10 && ip.addr==1.2.3.5 && tcp.port==20" -w out.pcap

or something more robust if needed.

tshark have many more options that will allow you to automate things the way you want.

        http://www.wireshark.org/docs/man-pages/tshark.html
0
 
PMembreyAuthor Commented:
Hi, that's actually a good solution but I really want to process the data live :-)
0
 
Infinity08Commented:
>> but I really want to process the data live :-)

tshark can capture data live, if that's what you mean. The example I gave was reading from in.pcap, but you could just as well read from a network interface (use the -i option instead of the -r option).
0
 
PMembreyAuthor Commented:
Well what I mean is that in effect I want my debug application to see an identical input stream (that is data sent from the remote server) as the actual client.

At present I suspect that I will need to write a very basic tcp implementation to ensure that the packets passed on are in the correct order etc. Obviously the debug app can't request packets to be resent etc, but it would need to know what to drop and how to order them I guess.

So if application A were connecting via TCP to the server and then wrote the data it received directly to a file, application B, which is only listening via pcap, needs to be able to produce the same file.

0
 
Infinity08Commented:
Ok. I think I understand what you're trying to achieve.

Give a tool like tcpreplay a look :

        http://tcpreplay.synfin.net/

It allows to "play" a TCP stream from a pcap file again
0
 
PMembreyAuthor Commented:
I'm using that right now and I've got the capture to file sorted. The problem I think is that my version contains duplicates and out of order packets - ie my datafile is not the same as the one wireshark creates.

0
 
Infinity08Commented:
Just to be sure : when using tcpreplay, you only replay the client-to-server traffic, right ? You don't replay what the server sends back (your debug server should be doing that).


>> The problem

What problem do you observe ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now