0

Im trying to write a program that reconstructs tcp sessions. I have a pcap file which have packets. The problem is i dont know which packets i should use to construct sessions when there is a retransmission.

retransmission http://img412.imageshack.us/img412/4655/retransmission.png

here is what wireshark shows about this session. Which packets should i use to reconstruct the session? First packets or retransmited packets? Which of them have valid datas?

I couldnt find a way to attach pcap file if you want i can upload pcap file to somewhere..

varstas
  • 335
  • 10
  • 19

1 Answers1

0

You probably want to extract only data for which you're sure that has been delivered. That means you need to extract only those retransmitted packets that have been ACK-ed. ACK received on the sending side carries the number of bytes that have been received at the receiving side. Those bytes are data that has been received successfully.

You need first packets (I assume you think of 3-way handshake packets) as they carry Initial Sequence Numbers (ISN) so can recognize (absolute) sequence number of the first byte (octet) of data as ISN + 1.

Regarding the implementation, have you checked this article?

Bojan Komazec
  • 9,216
  • 2
  • 41
  • 51