Question regarding Reassembly and Fragmentation

[zyl-one]

Question

I am trying to parse TLS packets for SNI (Server Name Indication) over TCP. Most of the packets I see in Wireshark show that they are reassembled. (I'm not sure if this is TCP reassembly or IP fragmentation, as I have only recently started exploring these topics).

I am trying to understand how TCP reassembly and IP fragmentation work in PcapPlusPlus.

Should I handle IP fragmentation first and then pass the stream of data for TCP reassembly?
Is there a way to parse TCP packets directly after TCP reassembly in PcapPlusPlus (i.e., parse immediately if there are no segments, or reassemble and parse if there are segments, just like Wireshark)?

Operating systems

Windows, Linux (v23.09)

[zyl-one]

@seladb Kindly help!

[seladb]

@zyl-one I'm sorry for the late response. From the screenshot it seems this is TCP reassembly and not IP fragmentation.
Unfortunately there is currently no way to parse TCP reassembled data using the packet parsers.
A (kinda hacky) workaround could be:

1. Use TCP reassembly to get the TCP data
2. Construct a "fake packet" out of it meaning add Eth, IP and TCP layers (the connection data such as IP addresses and ports are available in TCP reassembly) and then add the reassembled data as PayloadLayer
3. Get the "fake packet" raw data and let PcapPlusPlus parse it again - you should get the TLS packet now

Please let me know if this workaround can work for you

[zyl-one]

@seladb Thanks for your response.

I have a few doubts. Consider that I’m parsing a Client Hello packet which has been split into two segments and requires TCP reassembly. Segment #1 is 1460 bytes, as shown in the screenshot, and Segment #2 contains the remaining 294 bytes.

Question 1: Will TCP reassembly return the entire stream in this case, i.e., Segment #1 and Segment #2 (1460 + 294 = 1754 bytes)? I am only interested in reassembly and parsing till the handshake is complete (Client Hello and Server Hello)

Question 2: Will the whole connection payload data be in memory? For example, if it’s a long connection that grows up to 1GB, will it occupy 1GB of memory until a FIN or RST flag is received? Holding the payload for multiple connections would be costly, right?

Question 3: How can I implement something similar to Wireshark? It seems to identify which packets (segments) contribute to a Client Hello packet (for example, combining packets 3 and 4, which were segmented, into the complete Client Hello) and then parses it. How does it determine when the reassembly for the current actual packet from the source has been completely received and now it is time to combine them to form the actual packet and parse them?

Use TCP reassembly to get the TCP data Construct a "fake packet" out of it meaning add Eth, IP and TCP layers (the connection data such as IP addresses and ports are available in TCP reassembly) and then add the reassembled data as PayloadLayer Get the "fake packet" raw data and let PcapPlusPlus parse it again - you should get the TLS packet now

Will try this out and keep you posted.

Thanks in advance. Your help is greatly appreciated!