recontructing TCP connections

From: Mal hacker (
Date: Fri Jan 18 2002 - 01:09:16 EST

Hello friends,
I am having a file io which I have kept packets sniffed from the
network with the timestamp of each and every packets when it was
sniffed from the network. These are all tcp/ip packets and nothing else
and might have been transmitted from any computer running any OS, i
mean windows or linux or solaris or anyone else. Now for recontructing
TCP sessions from the single dump file, I firstly separate out the
packets on the basis of the 4 tuple of communication, viz IP addresses
and port numbers. This results into creating multiple files with every
file having packets with the same 4 tuple. These packets are sorted on
the basis of timestamp of every packet as it also there in the dump
Now, here is what I need to do - I need to read every file and then
check whether there were more than one connection on the same tuple of
communication and in that case separate the packets in this file into
two separate files. The problem here is that, I might not have all the
packets of the connection and this includes the absence of syn,syn-ack
or fin packets. So, I need some heuristics that a packets belongs to
the same connection or some other connection. Well, here are some of
the points which I have listed for applying heuristics, I would require
help from you to read these and then comment/add something to them so
that I can get the things working with the best heuristics.

1. A mismatched sequence number requires that we need to inspect the
session with the heuristics... (there could be something associated
with a timestamp to but i am unable to decide upon something, please

2. The heuristics basically depends upon the timestamp of the adjacent
packets as for example it could be if the timestamp diference is X and
we cannot expect these number of bytes Y (evaluated from taking the
diferenece of sequence numbers) to travel the network in such a short
amount of time then it's okay for us to consider the packets as
belonging to two separate connections.

Actually this all depends upon what what likelihood we have that the
same tuple of communication will be used again and in how much short
interval of time ? So please help me in this as I am not able to decide
upon the exact heuristics... Any link or document or paper would also
be of help!

Thanks for your help


Image by

Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to
More majordomo info at

This archive was generated by hypermail 2b29 : Wed Jan 23 2002 - 21:01:13 EST