tcpdump mailing list archives
Re: TCP stream decoding
From: Guy Harris <guy () netapp com>
Date: Mon, 16 Dec 2002 16:34:34 -0800
On Sun, Dec 15, 2002 at 09:06:21PM +0100, Hannes Gredler wrote:
have there been efforts [or thoughts, or even some code ;-)] for putting together the TCP stream and expose it it higher-level dissectors [aka stateful decoding] ?
None that I know of in tcpdump. Ethereal supports it, but it requires both support in the TCP dissector and in subdissectors (as only they know where higher-level PDUs begin and end).
i am wondering about the feasibility of such an project, while still preserving tcpdumps small footprint;
Hmm. Given that tcpdump is strictly one-pass, it's a bit of a simpler problem than in Ethereal - it could discard saved data from previous TCP segments once it hands the reassembled data to the higher-level dissector. Note, for what it's worth, that Ethereal currently doesn't handle out-of-order TCP segment delivery. I don't know how much more complicated that'd make it. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- TCP stream decoding Hannes Gredler (Dec 15)
- Re: TCP stream decoding Guy Harris (Dec 16)
- Re: TCP stream decoding Hannes Gredler (Dec 25)
- Re: TCP stream decoding Guy Harris (Dec 16)