Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: [Wireshark-dev] problems with fragmented reassembly on tcp

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Still Life <still.life@xxxxxxxx>
Date: Wed, 04 Oct 2006 18:15:21 +0200


Hi list,
I'm fighting with tcp reassembling but i have always some
problem. i have to dissect a protocol composed by different
messages. Each message had a fixed size header (from 55555555
to messgeId) and in mesageLenght there is the length of the
messages.

           |<-----------------myMsg------------------->|
|---------+--------+----+------------+--------+--||---+
|tcpHeader|55555555|0000|mesageLenght|messgeId|details|
|---------+--------+----+------------+--------+--||---+

In each packet captured by wireshark i can find more of this
messages and the last messages in the packet's payload
(can be a single long message as well) can be interrupted
in avary point by packets fragmentation.


I wrote a dissector in the following manner:

__________________________________________________
if  (((gint)(tvb->length)) < 20)
{ 
    pinfo->desegment_offset = 0;
    pinfo->desegment_len = -1;
return -1; } else { fmessageHead = (guint32)get_k_byte_from_n(tvb, 0, 4); messageId = (guint32)get_k_byte_from_n(tvb, 4, 4); messageChecksum = (guint32)get_k_byte_from_n(tvb, 8, 4); reservedBytes = (guint32)get_k_byte_from_n(tvb, 12, 4); messageLength = (guint16)get_k_byte_from_n(tvb, 16, 2); message = (guint16)get_k_byte_from_n(tvb, 18, 2);
if (((gint)(tvb->length)) < (18 + messageLength)) { pinfo->desegment_offset = 0; pinfo->desegment_len = -1; return -1; 
    }
}
[.....code needed to dissect the message's details....] 

if (((tvb->length) - offset) > 0)
{
   tvbuff_t* new_new_tvb;
   new_new_tvb = tvb_new_subset(tvb , offset, -1, -1);
   dissect_phones_vklone_server(new_new_tvb, pinfo,
                        phones_vklone_server_tree);
   return 1;
}

_______________________________________________________


My idea was to dissect the packet until  the end of the tvb is
reached and if the offset remain less then tvb->length I
call recursively the dissector on the remainig tvb's subset.
At the top I recognize if there is a complete message's header
or not and if yes I check if there is an entire message and ask
for other bytes if needed.

I'm still having problem with some packets.
Is right my approach? Did you notice some big mistake or
have some suggestion for me?
  • Follow-Ups:
    • Re: [Wireshark-dev] problems with fragmented reassembly on tcp
      • From: Jaap Keuter
    • Re: [Wireshark-dev] problems with fragmented reassembly on tcp
      • From: Kristof Provost
  • References:
    • [Wireshark-dev] wide changes to the H248 dissector please test
      • From: LEGO
  • Prev by Date: Re: [Wireshark-dev] Add camel statistics, for counter, and delay time.
  • Next by Date: Re: [Wireshark-dev] problems with fragmented reassembly on tcp
  • Previous by thread: [Wireshark-dev] wide changes to the H248 dissector please test
  • Next by thread: Re: [Wireshark-dev] problems with fragmented reassembly on tcp
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation