Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Advice needed: desegmentation

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 17 Aug 2006 16:57:25 -0700

On Aug 17, 2006, at 4:15 PM, Stephen Fisher wrote:


I am working on the dissector for the VNC protocol.  I am trying to
figure out what the best way to reassemble a one message type that spans 
multiple TCP segments.  I have come across two different methods in
other dissectors: one that is in the developer's guide using
tcp_dissect_pdus() and the other that sets pinfo->desegment_offset and
pinfo->desegment_len.
Both of those work by setting pinfo->desegment_offset and pinfo- >desegment_len; the difference is that, if you use tcp_dissect_pdus (), tcp_dissect_pdus() sets them for you, and does other work for you as well. 



I'm not sure which (if either) of the above will work due to the way
these messages are sent.  The message has multiple rectangle updates
with different types of encoding for each and then pixel data.  The
length of pixel data in each message depends on on the parameters of
that rectangle update (width x height) and its encoding type.  I don't
know how many bytes will span across to the next segment until I reach
the last rectangle update of the current segment.
I need to be able to keep extending the reassembly by another packet as 
I go through each packet.  There is no field that tells me how many
segments it will span.  For example, packet #1 may have 10 rectangle
updates and the 10th spans into the next segment.  Once I get to the
next segment, it may have another 10 with the final rectangle update
spans to the next segment.  This may go on for 10-15 packets.  I would
prefer that each of these turn into "tcp segment of a reassembled PDU"
and the final one be the normal dissection of all of the rectangle
updates put end to end.
tcp_dissect_pdus() only works if the length of the entire PDU can be determined by looking at a small amount of data at the beginning of the PDU (and if the small amount of data is no larger than the smallest possible PDU).
It sounds as if you cannot determine the total length of the PDU by looking at a small amount of data at the beginning of the PDU; if so, tcp_dissect_pdus() cannot work.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube