TCP Out of Order

Jul 15, 2012 at 8:22 AM
Edited Jul 15, 2012 at 2:09 PM

Hi Boaz,

My internal application (sniffer) is using this component and works fine with our core requirements however as we go forward we found out that we are also saving out-of-order packets which affects the accuracy/integrity of reports; my question is: "Is it possible to disregard Out-Of-Order packets from Pcap.Net?"

I can extract out-of-order packets from Wireshark using "tcp.analysis.out_of_order" however I need to get the equivalent in Berkeley Packet Filter (BPF).

Please advise if this is possible.

 

Cheers,

techguy

Coordinator
Jul 17, 2012 at 4:46 PM

Hi techguy,

 

Out Of Order is not information that is marked in the Packet.

It is an analysis done on several TCP packets together.

Currently, Pcap.Net works only per packet.

You can analyze the packets and find Out Of Order packets by looking at the TCP packets sequence numbers.

 

Can you give more information as to why saving out-of-order packets affects the accuracy/integrity of reports?

 

Boaz.

Jul 21, 2012 at 9:15 AM

Hi Boaz,

Thanks from your reply, reference to the process of saving packets (in form of statistical report) in accumulates duplicate entries since we need input from the the number of classified packets.

I also learned that this out-of-order is really a result of analysis as you mentioned, I managed to take this process using offline Pcap files as I periodically capture packets to dump file and run necessary actions to take out duplicate packets however I stumbled into a new scenario.

Is it possible to read from an existing Pcap dump file and then re-create a new Pcap file composed of unique packets?

 

Cheers,

techguy

 

Coordinator
Jul 21, 2012 at 3:18 PM

Yes, I think that reading a dump file and filtering it appropriately is quite straight forward.

You'll just need to read the packets, and check every new packet that you read if such a packet was already read before.

 

Makes sense?