Hello friends, I am having a file io which I have kept packets sniffed from the network with the timestamp of each and every packets when it was sniffed from the network. These are all tcp/ip packets and nothing else and might have been transmitted from any computer running any OS, i mean windows or linux or solaris or anyone else. Now for recontructing TCP sessions from the single dump file, I firstly separate out the packets on the basis of the 4 tuple of communication, viz IP addresses and port numbers. This results into creating multiple files with every file having packets with the same 4 tuple. These packets are sorted on the basis of timestamp of every packet as it also there in the dump file. Now, here is what I need to do - I need to read every file and then check whether there were more than one connection on the same tuple of communication and in that case separate the packets in this file into two separate files. The problem here is that, I might not have all the packets of the connection and this includes the absence of syn,syn-ack or fin packets. So, I need some heuristics that a packets belongs to the same connection or some other connection. Well, here are some of the points which I have listed for applying heuristics, I would require help from you to read these and then comment/add something to them so that I can get the things working with the best heuristics. 1. A mismatched sequence number requires that we need to inspect the session with the heuristics... (there could be something associated with a timestamp to but i am unable to decide upon something, please help). 2. The heuristics basically depends upon the timestamp of the adjacent packets as for example it could be if the timestamp diference is X and we cannot expect these number of bytes Y (evaluated from taking the diferenece of sequence numbers) to travel the network in such a short amount of time then it's okay for us to consider the packets as belonging to two separate connections. Actually this all depends upon what what likelihood we have that the same tuple of communication will be used again and in how much short interval of time ? So please help me in this as I am not able to decide upon the exact heuristics... Any link or document or paper would also be of help! Thanks for your help mal ===== Image by FlamingText.com __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
