How can I merge 'split/partial' packets with libpcap?

Question

I am capturing HTTP packets, and as I expected, it is breaking them up as some of the packers are just too large for one packet. How can I merge packets together? I've looked into the structure, and nothing is popping out. The one thing I did find is that the Window size is the same for all the packets that should belong together.

I also considered just accumulating all the packet data, and parsing using the HTTP header information, but there has to be a better way - as I am sure some of the packets I am seeing can be rejected and requested again.

I am using the C library, code would be nice, but I am more interested in how I should merge these at the library level.

Answer 1

I also considered just accumulating all the packet data, and parsing using the HTTP header information, but there has to be a better way

No, there doesn't.

If by "packets" you mean "HTTP requests and responses", then the only way to determine when an HTTP request or response starts or ends is to parse the HTTP headers, looking for, for example, the blank line that indicates the end of the HTTP headers, and the Content-Length: header that indicates the length of the HTTP entity body if present.

TCP provides a byte stream service to protocols such as HTTP that run on top of it. It provides NO services to delimit that byte stream into packets, so there's NOTHING in the TCP headers to indicate where packets on top of TCP begin or end.

That's exactly how Wireshark reassembles HTTP requests and responses.

as I am sure some of the packets I am seeing can be rejected and requested again.

How is that relevant here?