How to determine the first and last segment in raw TCP packets in IP fragmentation?

Y

yanchumak2014-12-11 00:01:28

linux

yanchumak, 2014-12-11 00:01:28

Good evening. There is IP traffic, I listen to it and do my dirty deeds. Everything is fine, but as soon as a data burst is sent more than MSS (1460 bytes), MTU 1500 (Ehernet), naturally at the IP level it is cut into segments of size 1460 + 20 (ip header size) + 20 (tcp header size) and pieces are obtained , which I do not need, but I need the final packet in the form of TCP data. I looked through Wireshark, the first and the next, except for the last packet, goes without the PSH flag, but with data, and the last one with PSH flags and also with data. RFC read, did not find / did not understand. Will the following logic be correct:
determine the first and all following packets (except the last one) - if the ACK flag and data > 0
determine the last packet - if the ACK + PSH flag and data > 0
I would be glad for any information. Thank you =)

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

J

jcmvbkbc, 2014-12-11
@yanchumak

define first and last segment

I don't really understand what you mean by "first and last segment"? The first incoming segment contains SYN in TCP flags, the last one contains FIN or RST.
Read the RFC on IPv4 ( https://www.ietf.org/rfc/rfc791.txt ), part of Fragmentation and Reassembly. In short, you need to catch all IP fragments of a TCP segment (IP packets with the same set of {source address, destination address, protocol, identification}) and put their data according to the value in the Fragment offset field into a buffer where you collect TCP- segment. Segment reception ends when the reassembly timeout expires or when all fragments of the segment are received.