A Repost: recontructing TCP connections (sorry for the trouble but i really need a solution)

From: Mal hacker (malhacker@yahoo.com)
Date: Tue Jan 22 2002 - 07:49:24 EST


> Hello friends,
> I am having a file io which I have kept packets sniffed from the
> network with the timestamp of each and every packets when it was
> sniffed from the network. These are all tcp/ip packets and nothing
> else
> and might have been transmitted from any computer running any OS, i
> mean windows or linux or solaris or anyone else. Now for
> recontructing
> TCP sessions from the single dump file, I firstly separate out the
> packets on the basis of the 4 tuple of communication, viz IP
> addresses
> and port numbers. This results into creating multiple files with
> every
> file having packets with the same 4 tuple. These packets are sorted
> on
> the basis of timestamp of every packet as it also there in the dump
> file.
> Now, here is what I need to do - I need to read every file and then
> check whether there were more than one connection on the same tuple
> of
> communication and in that case separate the packets in this file into
> two separate files. The problem here is that, I might not have all
> the
> packets of the connection and this includes the absence of
> syn,syn-ack
> or fin packets. So, I need some heuristics that a packets belongs to
> the same connection or some other connection. Well, here are some of
> the points which I have listed for applying heuristics, I would
> require
> help from you to read these and then comment/add something to them so
> that I can get the things working with the best heuristics.
>
> 1. A mismatched sequence number requires that we need to inspect the
> session with the heuristics... (there could be something associated
> with a timestamp to but i am unable to decide upon something, please
> help).
>
> 2. The heuristics basically depends upon the timestamp of the
> adjacent
> packets as for example it could be if the timestamp diference is X
> and
> we cannot expect these number of bytes Y (evaluated from taking the
> diferenece of sequence numbers) to travel the network in such a short
> amount of time then it's okay for us to consider the packets as
> belonging to two separate connections.
>
> Actually this all depends upon what what likelihood we have that the
> same tuple of communication will be used again and in how much short
> interval of time ? So please help me in this as I am not able to
> decide
> upon the exact heuristics... Any link or document or paper would also
> be of help!
>
> Thanks for your help
> mal
>

=====

Image by FlamingText.com

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Wed Jan 23 2002 - 21:01:14 EST