I'm writing a small application using libpcap, where I parse/analyze a TCP based application. I faced a situation, where application attempts to send a really large amount of data, say 64K, and TCP layer cuts it into a number of smaller segments.
Now, my question is -- how do I really tell that a TCP payload of the packet, read from pcap, is actually a chunk of a larger payload. So, in order to access original large payload, number of segments will need to be re-assembled.
TCP header has sequence field, but I don't fully understand how it can answer my question.
Also, IP header has total_length field, but it has nothing to do with TCP segmentation, it indicates IP payload size of the current packet.
I'd appreciate to get some hints. Thanks.
TCP can't help you here because it neither knows nor cares what PDUs are. You need to implement whatever protocol defines what a "large PDU" is. For example, if this is HTTP over TCP, implementing the HTTP protocol will tell you if the segment is part of a large PDU.
Because my question was - how do I tell that I have a small segment that has to be reassembled in a large packet.
That's what a message protocol is for. If, for example, the message protocol says that a PDU is a "series of characters not containing a newline character terminated by a newline character", then if you don't have a newline character, you know it's part of a larger PDU.
The concept of PDUs applies to message protocols, so if you're talking about PDUs, you must have a message protocol. The message protocol will tell you when you have an entire PDU. That's its purpose.