> Hello friends, > I am having a file io which I have kept packets sniffed from the > network with the timestamp of each and every packets when it was > sniffed from the network. These are all tcp/ip packets and nothing > else > and might have been transmitted from any computer running any OS, i > mean windows or linux or solaris or anyone else. Now for > recontructing > TCP sessions from the single dump file, I firstly separate out the > packets on the basis of the 4 tuple of communication, viz IP > addresses > and port numbers. This results into creating multiple files with > every > file having packets with the same 4 tuple. These packets are sorted > on > the basis of timestamp of every packet as it also there in the dump > file. > Now, here is what I need to do - I need to read every file and then > check whether there were more than one connection on the same tuple > of > communication and in that case separate the packets in this file into > two separate files. The problem here is that, I might not have all > the > packets of the connection and this includes the absence of > syn,syn-ack > or fin packets. So, I need some heuristics that a packets belongs to > the same connection or some other connection. Well, here are some of > the points which I have listed for applying heuristics, I would > require > help from you to read these and then comment/add something to them so > that I can get the things working with the best heuristics. > > 1. A mismatched sequence number requires that we need to inspect the > session with the heuristics... (there could be something associated > with a timestamp to but i am unable to decide upon something, please > help). > > 2. The heuristics basically depends upon the timestamp of the > adjacent > packets as for example it could be if the timestamp diference is X > and > we cannot expect these number of bytes Y (evaluated from taking the > diferenece of sequence numbers) to travel the network in such a short > amount of time then it's okay for us to consider the packets as > belonging to two separate connections. > > Actually this all depends upon what what likelihood we have that the > same tuple of communication will be used again and in how much short > interval of time ? So please help me in this as I am not able to > decide > upon the exact heuristics... Any link or document or paper would also > be of help! > > Thanks for your help > mal > ===== Image by FlamingText.com __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
