Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Since TCP is a streaming protocol, the packet bounderies are just artificial cuts in the data stream. This is needed because every network has a finite maximum length per packet, this maximum length is called the Maximum Transmission Unit (MTU). For normal ethernet, the MTU is 1500. This means ethernet can send 1500 bytes of data to another ethernet host. From this 1500 bytes, 20 bytes are needed for the IP header and 20 bytes are needed for the TCP header, leaving 1460 bytes for the TCP payload. This is what is called the Maximum Segment Size (MSS). If TCP needs to sends a block of data (a higher layer Protocol Data Unit (PDU)) that is larger than this MSS, it will break up the PDU into smaller pieces of size MSS and send those segments as individual packets to the receiver. The receiver then strips the ethernet/IP/TCP headers and places the TCP segment in the receive buffer. All segments are processed that way until the full PDU is received and the data can then be handed over to the application in one piece.

If I have read your question correctly, you are trying to parse a pcap file in which there are packets of protocol X which are transported over TCP. Protocol Data Units (PDUs) of protocol X have a length header that indicate the length of the PDU. However that length can be greater than the Maximum Segment Size (MSS), therefor the PDU will not fit into one packet as explained. Your parser needs to read the length of the PDU and it will need to keep reading TCP packets until all bytes of the PDU are received so that it can dissect it. This is called reassembly in Wireshark and your parser should do something similar too.