I am trying to parse payloads from TCP Packets stored in a wireshark pcap file. These payloads can have variable lengths as they are from a system that may send large pieces of information or small amounts.
I start by parsing the ethernet frames, then the IPv4 packets which contain a TCP Packet. Following the TCP packet header I am able to find the payload and know the payloads length.
Because some of this data can span across multiple TCP Packets, I sort from low to high each sequence, for each set of ports and addresses. Upon then traversing through the payloads, I would start at the lowest sequence number for a particular 'stream' (stream being identified by its dest port, source port, dest address and source address).
In my logic I am assuming following a specific stream by lowest to highest sequence should allow me to see all the data in the correct order. However, I am seeing sometimes I am missing some data.
Is there something wrong with my approach to how I would parse these? I feel like I'm missing a step
These packets don't seem to be over the snap length. I seem to be able to parse a lot of packets absolutely fine, but some seem to be missing portions of data.
Is there something I am overlooking?
