While observing network traffic in wireshark, i see that wireshark reassembles packets like:
[Reassembled TCP Segments (4233 bytes): #1279(2133), #1278(2100)]
Packet #1278: blahblah, Seq: 1538, Ack:3074, Len: 2133
Packet #1279: blahblah, Seq: 2998, Ack:3074, Len: 2100
(lengths are fictional values)
Im looking to reassemble tcp packets that i receive through sharppcap
Does wireshark use Ack to know what segments belong to each other?
What is the Seq value refer to?
If not, how does it reassemble them?
SEQ values are counted in bytes, so if you receive a 100 byte segment with SEQ == 5
, you know the next segment in the sequence will have a SEQ == 105
.
The ACK indicates the next SEQ value that the sender expects to see from its peer. So the only reason you're seeing the same ACK value in multiple packets is because only one side is transmitting. By keeping the ACK the same, With each transmission, the host is basically saying it hasn't received anything new.
The sequence number identifies the first byte in the segment. As part of connection establishment each peer picks a random sequence number for the first byte that it will send. Thereafter, the next sequence number is the previous sequence number plus the number of bytes in the previous segment.
I don't understand your question about whether Wireshark uses Ack to reassemble segments.
I might be wrong,
It is not up to TCP to reassemble the PDU..TCP's job is to make sure the tcp segments arrive in order(seq, ack), it does not care about the upper layer protocols..
e.g. a long HTTP response(suppose you are downloading some large file), TCP does not know (neither does it care) where the end of the request is, because that's HTTP's job