working in C#, I use SharpPCap to get segments from a winpcap trace.
I need to rebuild all the messages sent and received in that trace.
In my situation, the client's and server's IP will never be the same. Client's port does not necessarily change.
The protocol used by the message could be HTTP or something custom that I don't know.
That's how I currently do it :
if (ipPacket.Protocol == IPProtocolType.TCP)
{
TcpPacket tcpPacket = (TcpPacket)ipPacket.PayloadPacket;
Packet dataPacket = tcpPacket;
while (dataPacket.PayloadPacket != null)
dataPacket = dataPacket.PayloadPacket;
if (dataPacket.PayloadData.Length > 0)
{
if (m_MessageContainer.IsEmpty()
|| ((m_MessageContainer.Last().SourceIp.ToString() != ipPacket.SourceAddress.ToString())
&& tcpPacket.Psh))
{
m_MessageContainer.Add(BuildMessage(ipPacket, tcpPacket));
}
m_MessageContainer.Last().AddData(dataPacket.PayloadData);
}
}
The problem with my solution is when the client send two request in a row. I just merge the two messages in one. If I change
if (m_MessageContainer.IsEmpty()
|| ((m_MessageContainer.Last().SourceIp.ToString() != ipPacket.SourceAddress.ToString())
&& tcpPacket.Psh))
{
m_MessageContainer.Add(BuildMessage(ipPacket, tcpPacket));
}
by
if (m_MessageContainer.IsEmpty()
|| tcpPacket.Psh)
{
m_MessageContainer.Add(BuildMessage(ipPacket, tcpPacket));
}
then a problem occurs when a message is split between more than one tcp segments and the flag psh is set on at least two of those tcp segment.
I need a way to correctly merge segments to rebuild original messages. I can't rely on the protocol used over TCP.
Thank you!
Edit : In wireshark, when you do follow tcp stream, it doesn't necessarily know the protocol over tcp but it is able to show each request and response in different colors. How does it is able to do that? I am seeking the same functionality because in my situation, there will never be a second request before a response is received in a stream. Thanks