How to distinguish tcp segment data from other data in pcap packet?

K

kuzko2020-04-30 10:48:29

C++ / C#

kuzko, 2020-04-30 10:48:29

When writing a c++ program to process a pcap packet, I ran into a problem: wireshark shows that the packet has a routing protocol, but it also has a tcp segment data, which does not meet the criteria for a routing protocol.

Maybe someone knows how it can be distinguished tcp segment datafrom the bgp protocol, or at least how to find out the length tcp segment dataand where it is located (because sometimes it goes before the bgp protocol, and sometimes after)?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

J

jcmvbkbc, 2020-04-30
@jcmvbkbc

how can you distinguish tcp segment data from bgp protocol,

BGP is transmitted within a TCP connection. Therefore, all data passing through the connection is BGP. But since this is TCP and data is transmitted in segments, the size of which is not related to the data structure, TCP segments can contain both whole BGP messages and parts. The picture shows two BGP messages: one integer, with a total length of 0xa1, from 0x17c to 0x21s, and the beginning of the next one, with a total length of 0xa0, from 0x21d to the end of the TCP segment. In the next TCP segment, respectively, there will be a continuation of this message.

how to find the length

Look into the protocol definition , see the marker and length fields, use them?

R

Ruslan, 2020-05-01
@msHack

read about file signatures