I`m writing packet generator right now. Testing it with wireshark and VM. I have an exercise on my checklist to sent 3 packets in a row: 1. TCP on 80 port, with SYN=1 and MF=1 flags. 2. TCP on 135 port, with SYN=1 and MF=1 flags. 3. TCP on 80 port, with MF = 0 and offset = 24.
I`m sending all the packets with the same ID field on IP layer.So as I understand Wireshark should try to reassemble these packets. But will it reassemble packets from different ports?And what should we get as final result? All I get is 3 IPv4 packets.
http://cs625124.vk.me/v625124860/10bf5/BQFUbKT7zVs.jpg
Addition: I mentioned, that if I change offset of last TCP-packet to 16, than we got a bit different kind of traffic.:
We got one HTTP or continuos packet. And here is wrong checksum. I tried to copy correct checksum to the first TCP packet and then I got RST, so i think that WireShark interpreted SYN from 1-st packet: http://s28.postimg.org/z3w7ibhjx/image.png
So could you please explain me, was the last result correct? I would appreciate any help. Sorry if it is something basic. It`s my first expirience of writing WinForm application and using Pcap.Net library too. Thanks in advance!Sorry for links, have no reputation(
First, a TCP session is defined by the tuple:
If you have packets with different tuples, they will not be part of the same TCP session.
You get a RST when the server closes the session.
It is likely the server doesn't like getting SYN packets from port 21 (FTP) to its port 80 (HTTP).