0

Im trying to write a program that reconstructs tcp sessions. I have a pcap file which have packets. The problem is i dont know which packets i should use to construct sessions when there is a retransmission.

http://img412.imageshack.us/img412/4655/retransmission.png

here is what wireshark shows about this session. Which packets should i use to reconstruct the session? First packets or retransmited packets? Which of them have valid datas?

I couldnt find a way to attach pcap file if you want i can upload pcap file to somewhere. Im sorry i couldnt post image to here cause i dont have enough reputation.

varstas
  • 103
  • 1

1 Answers1

1

It doesn't matter, they should all have the same data for the same byte positions. If they differ, it's arbitrary which is 'correct'. (And, in practice, that will never happen unless someone is deliberately abusing TCP to create a back channel or the like.)

David Schwartz
  • 31,215
  • 2
  • 53
  • 82