Ask Your Question
0

How do you get tcp flags in another dissector

asked 2020-06-02 21:21:46 +0000

jlshuman gravatar image

I have a dissector that processes messages that are transported on TCP. In my dissector, I need to know when a tcp session has finished with a message by checking when the TCP Push flag has been set. Is there a way to get the value of that flag in my dissector? Or, is there another way to know that I have the last packet in a TCP transported message?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-06-03 05:08:28 +0000

Guy Harris gravatar image

Why do you think PSH indicates when a session has finished with a message?

There is no notion of "messages" in TCP; TCP is a byte-stream protocol, with no message boundaries - protocols that send messages over TCP use conventions within the protocol to determine message boundaries. A common technique is to have each message start with a message length field; other techniques, for text-style protocols such as FTP, HTTP, etc. is either to use a line ending as a message end (for messages that fit in one line) or to use a blank line to separate message headers from the message body (used by, for example, HTTP - which can also use Content-Length headers as a message length field for the message body).

If your protocol does not have such a mechanism, you need to modify it to introduce such a mechanism.

edit flag offensive delete link more

Comments

The protocol is not mine, so I cannot modify it. It does not have a length at the beginning. And it is binary data that must be converted to text once I get all the packets, so I can't just look for an end of message marker. In a C# application that we have, we look for a tcp.push flag to be set to know when we received the last packet of the message. Then we can reassemble the binary data and convert it to text. This works for our C# project. The messages are using Google Protocol Buffers. Do you know if there is a way to get the length of one of those?

jlshuman1961 gravatar imagejlshuman1961 ( 2020-06-03 14:21:14 +0000 )edit

I still would like to know how to access the tcp flags from inside of my dissector, which is not a TCP dissector, but a dissector of a message transported on TCP.

jlshuman gravatar imagejlshuman ( 2020-06-04 19:05:51 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2020-06-02 21:21:46 +0000

Seen: 360 times

Last updated: Jun 03 '20