Does Wireshark run a specific sorting algorithm when reconstructing a TCP stream ?
If this is the case, it seems to me that, especially for long connections, the task of sorting all the packets of the connection based on the sequence numbers may be very costly. On Thu, Aug 13, 2009 at 10:31 PM, Guy Harris <[email protected]> wrote: > > On Aug 12, 2009, at 11:52 PM, Selçuk Cevher wrote: > > > On the other hand, the development guide also says that a single TCP > > segment can carry multiple application messages at the same time. > > > > In this case, it can not be assumed that "the message header is at > > the start of your TCP payload". Does it mean that there might be > > multiple application layer headers in the payload of this single TCP > > segment, and each application header may start from an arbitrary > > location depending on the message size ? > > Yes. > > If a TCP segment with multiple application layer packets in it has, at > the beginning, the header of the first of those packets, > tcp_dissect_pdus() will handle that - it'll call the packet dissector > multiple times, once for each of the full packets in that segment. > > If the last packet in the segment is continued in the next segment, > tcp_dissect_pdus() will start reassembly of that packet, so that when > tcp_dissect_pdus() is called with the next segment, it will continue > reassembly of that packet. > > The only case tcp_dissect_pdus() doesn't handle is the one where the > first captured segment in the capture starts with something *other* > than the header of a packet; that would require that it be possible to > identify PDU headers heuristically and that it scan forward looking > for the first PDU header. > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
