I develop a program that analyze http protocol.
I finished capturing a packet layer 2 from network card and analyzing the headers of layer 2,3,4.
I finished analyzing header of http too.
But at layer 4(TCP), I cannot assemble the packets to PDU.
Please show me the way to assemble TCP packet like Wireshark.
+ how can we know that a packet is the end of PDU?
+ how can we collect the packet of a PDU?
+ how can we check the error (time-out packet, retransmission packet)?
I researched many documents but didn't found the solution.
Thanks for your help so much.
I wish that this can solve my problem, but it cannot.
PDU = Protocol Data Unit.
In HTTP, PDU = request or response
In TCP, from 3-handshaking to FIN, there are too many PDU send and receive between client & server. So we cannot use FIN flag to seperate PDUs.
Ok, What happens when you try tracing sequence numbers?, as far as I know, this is how it works:
Say Host A is talking to host B. And at the same time host A to host C. (you are A). The initiator of any TCP connection (in this case host A) starts with some random sequence number. Each TCP packet (segment) needs to be acknowledged. If a packet is sent with a sequence number of say 1000. Then the receiver (Host has to acknowledge it by sending a packet with the ACK flag set and the acknowledgment field set to 1001 (meaning it is expecting a TCP packet with sequence 1001 as the next packet). Now for those packets that B sends to A. They also have sequence numbers that are initiated by B and they are different than 1000. Same thing applies, every TCP packet (segment) sent by B needs to be ACKed by A. Say the first was 650, then host A sends an ACK of 651. B sends the next packet with seq. 651, host A replies with an ACK of 652 and so on.
Now, while this is happening. Say that A initiates another connection with C. It will again start with another (totally different) sequence number, say 200. Again host C has to acknowledge this packet with an ACK of 201. and the story goes again.
tracing sequence numbers and ACKs you should be able to know which packets are for which connection. Does that make sense?
Thats as far as I know, there are some more complications and details.