none
Combining frames into TCP packets RRS feed

  • Question

  • I'm looking to capture TCP packets (segments), as sent by the standard send() API.  Since these packets may be larger than 1500 bytes, they are broken up into multiple Ethernet frames.  In Network Monitor's Frame Summary window, I'm seeing frames such has:

    36  ...  TLS:TLS Rec Layer ...

    37 ...   TCP:[Continuation to #36] ...

    38 ...   TCP:[Continuation to #36] ...

    This example is a TLS protocol record larger than 1500 bytes and sent over TCP.  Network Monitor parses frame #36 as a TLS record, but misses the continuation of this record in frames #37 and #38.  Is there a way to combine all of these frames into a single TLS record and have Network Monitor parse the whole thing?

    Please excuse this question if it's elementary, but I'm just getting started with Network Monitor and see no obvious solution to this in the documentation.  Thanks for any help.


    :-( + :-) = :-) :-)

    Friday, October 12, 2012 11:14 AM

Answers

  • Hi Paul,

    Once you've saved and loaded the capture in Network Monitor, click on the Reassemble button in the top toolbar.  This will open a new window which will contain a trace that has these messages already combined.  You can filter on 'PayloadHeader' to see all these reassembled packets.

    Your other option is to try our Message Analyzer Beta (available on our Connect site here) which will automatically reassemble the messages when loading.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    Friday, October 12, 2012 8:39 PM
    Moderator

All replies

  • Hi Paul,

    Once you've saved and loaded the capture in Network Monitor, click on the Reassemble button in the top toolbar.  This will open a new window which will contain a trace that has these messages already combined.  You can filter on 'PayloadHeader' to see all these reassembled packets.

    Your other option is to try our Message Analyzer Beta (available on our Connect site here) which will automatically reassemble the messages when loading.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    Friday, October 12, 2012 8:39 PM
    Moderator
  • Thanks, that explains it -- I see that reassembly is supported only for saved captures, not live.

    Since I'd like to analyze in real time, is there an approach better than periodically saving and parsing the captures (say, every one minute)?  It seems there will be a problem if packets to be reassembled happen to straddle consecutive captures.


    :-( + :-) = :-) :-)

    Friday, October 12, 2012 9:06 PM
  • Hi Paul,

    There's not a way to get the Network Monitor UI to do this in realtime.  Our API and nmcap support some forms of realtime reassembly, though it really hurts performance and then there's no good way to view that information in a form you're used to seeing.

    However, that's where Message Analyzer stands out as it's built around the notion of creating these complete views of data.  You can get its auto-reassembly benefit while capturing in realtime and use it with not just network data but other system events as well.

    I'd encourage you to check out the Beta.  We'd love to hear any feedback you have with your experience with it as well.

    Thanks again,


    Michael Hawker | Program Manager | Network Monitor

    Friday, October 12, 2012 9:14 PM
    Moderator
  • Sounds good, thanks.  My task is to build a command-line tool that extracts certain fields from protocol records (e.g., TLS) that may be fragmented among multiple Ethernet frames.  Network Monitor's parsers extract the field data nicely.  Hopefully I can do this programmatically via the API and nmcap or Message Analyzer.  I'll see how it goes.  Any tips much appreciated.


    :-( + :-) = :-) :-)

    Friday, October 12, 2012 11:21 PM
  • It may be a bit harder to do it programatically with Message Analyzer at the time being (it'll just display it automatically for you unlike Network Monitor).

    There will be greater PowerShell support with Message Analyzer in the future though, we have a few examples with our Beta.

    If you still want to move forward on the older platform, I would suggest looking at our experts at http://nmexperts.codeplex.com/ as they would show you how you can enable reassembly in the API in order to decode a full packet of information.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    Friday, October 12, 2012 11:25 PM
    Moderator
  • I've tried Message Analyzer, which appears to do the reassembly automatically and works fine.  If the NM API were also to support this, that would be great.

    Also, I took a look at some Experts, but these don't appear suited for live capture analysis.  As I understood, these are just applications that process saved capture files via the NM API.


    :-( + :-) = :-) :-)

    Wednesday, October 17, 2012 3:17 AM
  • Hi Paul,

    You're right all the experts out there work on static files, but how you process data is the same API in the NMAPI.  It's just when live capturing you get a callback vs. pulling a frame out of a file.  You can see a Live Capture example in the documentation which ships with Network Monitor.

    You can combine the live sample with the types of analysis done by experts to create a system which can reassemble and analyze data on the fly.  It's just that if you're on a higher speed network, you probably won't be able to keep up by doing all that work, but you'd have to try it and know for sure and then possibly look into adding high performance capture filters.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    Wednesday, October 17, 2012 6:45 PM
    Moderator