How to sort TCP fragments

Question

I have 10 unsorted TCP segments (A-J) and I want to sort them temporarily. The information I have from each one:

• A:{Sequence number: 43 4a 6f bd, Acknowledgment number: 66 6e b6 f4, Flags: ACK}.
• B:{Sequence number: 43 4a 6e 71, Acknowledgment number: 66 6e b2 53, Flags: ACK}.
• C:{Sequence number: 43 4a 6e 70, Acknowledgment number: 00 00 00 00, Flags: SYN}.
• D:{Sequence number: 66 6e b6 f3, Acknowledgment number: 43 4a 6f bd, Flags: ACK+FIN}.
• E:{Sequence number: 66 6e b2 52, Acknowledgment number: 43 4a 6e 71, Flags: ACK+SYN}.
• F:{Sequence number: 66 6e b2 53, Acknowledgment number: 43 4a 6f bd, Flags: ACK+PSH}.
• G:{Sequence number: 66 6e b2 53, Acknowledgment number: 43 4a 6f bd, Flags: ACK}.
• H:{Sequence number: 66 6e b3 a4, Acknowledgment number: 43 4a 6f bd, Flags: ACK+PSH}.
• I:{Sequence number: 43 4a 6e 71, Acknowledgment number: 66 6e b2 53, Flags: ACK+PSH}.
• J:{Sequence number: 43 4a 6f bd, Acknowledgment number: 66 6e b6 f3, Flags: ACK}.

As far as I know the first one should be C and the second one E, but I have no idea how to arrange the other segments.

Thanks

Answer 1

For sorting more accurate, you need to have each packet's payload size (in order not to miss the order of segments which have overlap with their previous segment).

But if you're sure that there is no segment with some overlapped data, you can sort packets by comparing their sequence and acknowledgment numbers (and also considering control flags).

It's better to sort packets in each direction independently at first:

Request side: C, B, I, J, A.

Response side: E, G, F, H, D.

In choosing between F and G, we consider that F's PSH flag is set; So it contains data and advances the sequence number. Therefore, it should come after G since G seems not to contain any data.

Now we can merge by comparing each side's first packet:

1. C: SYN

2. E: SYN + ACK

3. B: ACKs E

4. I: G's acknowledgment number is greater than I's sequence number.

5. G: J's acknowledgment number is greater than G's sequence number.

6. F: J's acknowledgment number is greater than F's sequence number.

7. H: J's acknowledgment number is greater than H's sequence number.

8. J: J is before D since it doesn't ACK D. (D's FIN control flag is set; So it advances the sequence number.)

9. D: A's acknowledgment number is greater than D's sequence number.

10. A