No one has mentioned this yet, so here it is: Provided that the dump contains the data portion of the TCP PDU (protocol data unit) you can extract the traffic that was sent over TCP during a connection. UDP is a stateless protocol and so to have any reassembly take place regarding UDP you would have to reconstruct the upper layer protocol information and work with that. TCP is a connection-oriented protocol and so each PDU is given a sequence number. Time and dates are not normally included in UDP and TCP packets and IP almost NEVER uses any sort of dating information. If you collect data, be SURE that you can extract the date information from the upper layer protocols (such as SMTP or HTTP) or reliably date your tcpdump. Finally, the best place to get technical information on TCP and UDP is to look at the associated RFCs (Request for Comments) which define TCP and UDP format and behavior. There is also an excellent book by Siemens which talks about TCP and related protocols and gives quick PDU format diagrams in the front. Note that to get the data portion from the tcpdump, you must set your snap length to the link-layer MTU or greater and include the -X flag in the program. :-) Ethereal is a very nice program that "knows" about upper layers and is free and quite well maintained! It also has plugins for other transport layer protocols such as SCTP. Hope this helps some! I would suggest grabbing and expert on transport layer protocols and tapping their mind for some of the finer details involved. Dumps (regardless of program) can be interesting depending on the networking context. Sam On Thu, 19 Dec 2002, Susan Chan Lee wrote: > Anyone know where to obtain information of re-assembling TCP/UDP data > streams. > > I mean I have captured data using Tcpdump (i.e. raw data), how to I > recombine the data into the orginal word attachment (or like)? Cannot > seem to find any information anywhere on the technical involved in this. > > Thanks > Susan Chan Lee > Security Associates - Singapore > > ************************************************************* > Advanced Hands-On Security in the Arabic Gulf > DefensiveHacking and DefensiveForensics, Qatar January 2003 > www.securityassoc.com/DefensiveCourse.pdf > ************************************************************* > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:27:18 PST