Solved

pcap data capture

Posted on 2010-08-30
12
486 Views
Last Modified: 2012-05-10
Hi,

How does the pcap library handle TCP out-of-order packets? Does it put them back into the right order or does it just deliver the packets in the order it arrives?

Assuming it's the latter, how would you go about putting them back in the right order?
0
Comment
Question by:PMembrey
  • 5
  • 5
  • 2
12 Comments
 
LVL 5

Expert Comment

by:shajithchandran
ID: 33556938
I think TCP should handle the reordering.. thats what TCP is meant for.
0
 

Author Comment

by:PMembrey
ID: 33556950
I would agree if this was a normal socket - the data read would be in order - after all, that's the whole point of TCP. However if I'm listening on the wire, presumably pcap will pass me packets as it sees them, out of order or not.

Wireshark definitely shows them, but I don't know if this is for reference (i.e. network debugging) or whether or not it actually makes a difference.
0
 
LVL 5

Expert Comment

by:shajithchandran
ID: 33556951
I not sure what is pcap, but if its an application that sits on top of TCP stack, then it need not worry about packet ordering.. the TCP layer will do it. From an application point of view, the data will come in order.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33557045
pcap provides packet sniffing. It receives packets as they are received on the network interface, so if packets arrive out of order, then that's how pcap will see them.

However, the TCP stack on the machine will take care of asking for re-transmits, and those re-transmits should also show up while sniffing. So, it would just be a matter of ignoring the out-of-order packets, and waiting for the re-transmitted packets as necessary.

On the other hand, I'm not really sure why you need this ... Could you clarify what exactly you are trying to do ? Maybe there's a better way of doing things ?
0
 

Author Comment

by:PMembrey
ID: 33557077
At the moment I capture all the traffic in Wireshark, select a packet of interest and then tell it to "Follow TCP stream" and then save as raw to a file. From there I can analyse the data in the stream to help me debug my client and server combo.

However to speed things up, I would like to have a simple little app that does the same thing as Wireshark, except it just does it in one go rather than me having to go through all the steps above.

Wireshark when told to follow the stream will sort out the out-of-order packets, but a direct pcap session (as expected) does not. So, I would like to solve this particular problem :-)
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 33557427
What the "Follow TCP Stream" does, is filter out all packets that belong to the given TCP stream (based on source and destination IP addressed and ports).

If you want to make it easier to do a series of operations, maybe what you're after is tshark with proper command-line options.

For example, to get just one stream, you could do something like :

        tshark -r in.pcap -R "ip.addr==1.2.3.4 && tcp.port==10 && ip.addr==1.2.3.5 && tcp.port==20" -w out.pcap

or something more robust if needed.

tshark have many more options that will allow you to automate things the way you want.

        http://www.wireshark.org/docs/man-pages/tshark.html
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:PMembrey
ID: 33557489
Hi, that's actually a good solution but I really want to process the data live :-)
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33557524
>> but I really want to process the data live :-)

tshark can capture data live, if that's what you mean. The example I gave was reading from in.pcap, but you could just as well read from a network interface (use the -i option instead of the -r option).
0
 

Author Comment

by:PMembrey
ID: 33557697
Well what I mean is that in effect I want my debug application to see an identical input stream (that is data sent from the remote server) as the actual client.

At present I suspect that I will need to write a very basic tcp implementation to ensure that the packets passed on are in the correct order etc. Obviously the debug app can't request packets to be resent etc, but it would need to know what to drop and how to order them I guess.

So if application A were connecting via TCP to the server and then wrote the data it received directly to a file, application B, which is only listening via pcap, needs to be able to produce the same file.

0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33561020
Ok. I think I understand what you're trying to achieve.

Give a tool like tcpreplay a look :

        http://tcpreplay.synfin.net/

It allows to "play" a TCP stream from a pcap file again
0
 

Author Comment

by:PMembrey
ID: 33563263
I'm using that right now and I've got the capture to file sorted. The problem I think is that my version contains duplicates and out of order packets - ie my datafile is not the same as the one wireshark creates.

0
 
LVL 53

Expert Comment

by:Infinity08
ID: 33564537
Just to be sure : when using tcpreplay, you only replay the client-to-server traffic, right ? You don't replay what the server sends back (your debug server should be doing that).


>> The problem

What problem do you observe ?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This tutorial is posted by Aaron Wojnowski, administrator at SDKExpert.net.  To view more iPhone tutorials, visit www.sdkexpert.net. This is a very simple tutorial on finding the user's current location easily. In this tutorial, you will learn ho…
Summary: This tutorial covers some basics of pointer, pointer arithmetic and function pointer. What is a pointer: A pointer is a variable which holds an address. This address might be address of another variable/address of devices/address of fu…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand and use conditional statements in the C programming language.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now