如何从TCP段构建消息 [英] How to build message from tcp segments
问题描述
在C#中工作,我使用SharpPCap从winpcap跟踪中获取片段.
working in C#, I use SharpPCap to get segments from a winpcap trace.
我需要重建在该跟踪中发送和接收的所有消息.
I need to rebuild all the messages sent and received in that trace.
在我的情况下,客户端和服务器的IP永远不会相同.客户端的端口不一定会更改.
In my situation, the client's and server's IP will never be the same. Client's port does not necessarily change.
消息使用的协议可以是HTTP或我不知道的自定义内容.
The protocol used by the message could be HTTP or something custom that I don't know.
这就是我目前的做法:
if (ipPacket.Protocol == IPProtocolType.TCP)
{
TcpPacket tcpPacket = (TcpPacket)ipPacket.PayloadPacket;
Packet dataPacket = tcpPacket;
while (dataPacket.PayloadPacket != null)
dataPacket = dataPacket.PayloadPacket;
if (dataPacket.PayloadData.Length > 0)
{
if (m_MessageContainer.IsEmpty()
|| ((m_MessageContainer.Last().SourceIp.ToString() != ipPacket.SourceAddress.ToString())
&& tcpPacket.Psh))
{
m_MessageContainer.Add(BuildMessage(ipPacket, tcpPacket));
}
m_MessageContainer.Last().AddData(dataPacket.PayloadData);
}
}
我的解决方案的问题是当客户端连续发送两个请求时.我只是将两个消息合并为一个.如果我更改
The problem with my solution is when the client send two request in a row. I just merge the two messages in one. If I change
if (m_MessageContainer.IsEmpty()
|| ((m_MessageContainer.Last().SourceIp.ToString() != ipPacket.SourceAddress.ToString())
&& tcpPacket.Psh))
{
m_MessageContainer.Add(BuildMessage(ipPacket, tcpPacket));
}
通过
if (m_MessageContainer.IsEmpty()
|| tcpPacket.Psh)
{
m_MessageContainer.Add(BuildMessage(ipPacket, tcpPacket));
}
然后,当消息被分割成多个tcp段并且在至少两个tcp段上设置了标志psh时,就会出现问题.
then a problem occurs when a message is split between more than one tcp segments and the flag psh is set on at least two of those tcp segment.
我需要一种正确合并段以重建原始消息的方法.我不能依靠TCP上使用的协议.
I need a way to correctly merge segments to rebuild original messages. I can't rely on the protocol used over TCP.
谢谢!
在wireshark中,当您遵循tcp流时,它不一定知道基于tcp的协议,但是它能够以不同的颜色显示每个请求和响应.它如何做到这一点?我正在寻求相同的功能,因为在我的情况下,在流中接收到响应之前永远不会有第二个请求. 谢谢
Edit : In wireshark, when you do follow tcp stream, it doesn't necessarily know the protocol over tcp but it is able to show each request and response in different colors. How does it is able to do that? I am seeking the same functionality because in my situation, there will never be a second request before a response is received in a stream. Thanks
推荐答案
仅通过观察线路上的流就无法知道原始应用程序代码如何写入套接字.您正在谈论使用在某些情况下可能会出现的提示,但您不能依靠它们(如您所发现的那样).
There's no way to know just from observing the stream on the wire just how the original application code wrote to the socket. You are talking about using hints that might show up under certain circumstances but you can't rely on them (as you have discovered).
write(sock, "GET / HTTP/1.0\r\n\r\n", len);
write(sock, "GET / HTTP/1.0\r\n", len);
write(sock, "\r\n", 2);
write(sock, "GET / HTTP/1.0\r\n", len);
sleep(1);
write(sock, "\r\n", 2);
所有这三个示例都是编写HTTP查询的合法方法.所有这三个在电线上看起来都可能相同.当然,即使最后一个意味着相同的事情,最后一个也很有可能会有所不同(想象一下睡眠不是很明确的,但是可能是由于从磁盘上读取cookie引起的).即使这样,如果在两次写操作发生时通过重试使特定的TCP套接字处于阻塞状态,则可以将最后一个折叠为一个传输.第二个示例可能只是基于接口上的其他负载(或诸如CORK的套接字选项)而显示为一个或两个数据包.
All three of those examples are legal ways to write an HTTP query. All three could look the same on the wire. Certainly the last one has a strong chance of being different even though it means the same thing (imagine the sleep isn't explicit, but perhaps caused by reading cookies off of disk). Even so the last one could be folded into a single transmission if the particular TCP socket is being held off by retries at the moment the two writes occur. The second example might show up as one packet or two just based on the other load on the interface (or socket options like CORK).
这篇关于如何从TCP段构建消息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
