Wireshark
the world's foremost network protocol analyzer
Wireshark-dev: Re: [Wireshark-dev] problems with fragmented reassembly on tcp
From: Kristof Provost <Kristof.Provost@xxxxxxxxxx>
Date: Wed, 04 Oct 2006 18:59:11 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
I suspect it will be easier if you use the tcp_dissect_pdus() function.
If you can determine the message length without reading the entire
message (you can) that's the recommended approach.
See the README.developer file.
Disclaimer: I'm not a wireshark developer, I may be wrong.
Kristof
> Hi list,
> I'm fighting with tcp reassembling but i have always some
> problem. i have to dissect a protocol composed by different
> messages. Each message had a fixed size header (from 55555555
> to messgeId) and in mesageLenght there is the length of the
> messages.
>
> |<-----------------myMsg------------------->|
> |---------+--------+----+------------+--------+--||---+
> |tcpHeader|55555555|0000|mesageLenght|messgeId|details|
> |---------+--------+----+------------+--------+--||---+
>
> In each packet captured by wireshark i can find more of this
> messages and the last messages in the packet's payload
> (can be a single long message as well) can be interrupted
> in avary point by packets fragmentation.
>
>
> I wrote a dissector in the following manner:
>
> __________________________________________________
> if (((gint)(tvb->length)) < 20)
> {
>
> pinfo->desegment_offset = 0;
> pinfo->desegment_len = -1;
> return -1;
>
> }
> else
>
> {
>
> fmessageHead = (guint32)get_k_byte_from_n(tvb, 0, 4);
>
> messageId = (guint32)get_k_byte_from_n(tvb, 4, 4);
>
> messageChecksum = (guint32)get_k_byte_from_n(tvb, 8, 4);
>
> reservedBytes = (guint32)get_k_byte_from_n(tvb, 12, 4);
>
> messageLength = (guint16)get_k_byte_from_n(tvb, 16, 2);
>
> message = (guint16)get_k_byte_from_n(tvb, 18, 2);
>
>
>
> if (((gint)(tvb->length)) < (18 + messageLength))
>
> {
>
> pinfo->desegment_offset = 0;
>
> pinfo->desegment_len = -1;
>
> return -1;
>
> }
> }
>
>
> [.....code needed to dissect the message's
> details....]
>
> if (((tvb->length) - offset) > 0)
> {
> tvbuff_t* new_new_tvb;
> new_new_tvb = tvb_new_subset(tvb , offset, -1, -1);
> dissect_phones_vklone_server(new_new_tvb, pinfo,
> phones_vklone_server_tree);
> return 1;
> }
>
> _______________________________________________________
>
>
> My idea was to dissect the packet until the end of the tvb is
> reached and if the offset remain less then tvb->length I
> call recursively the dissector on the remainig tvb's subset.
> At the top I recognize if there is a complete message's header
> or not and if yes I check if there is an entire message and ask
> for other bytes if needed.
>
> I'm still having problem with some packets.
> Is right my approach? Did you notice some big mistake or
> have some suggestion for me?
>
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFI+hfUEZ9DhGwDugRA+F2AJ9kUpsof35C3/id45LrUgxgO6s5wgCeIHrC
gbz/CwSqTztxpl4FdmObBYk=
=Y3Nr
-----END PGP SIGNATURE-----
- Follow-Ups:
- Re: [Wireshark-dev] problems with fragmented reassembly on tcp
- From: John R.
- Re: [Wireshark-dev] problems with fragmented reassembly on tcp
- From: Still Life
- Re: [Wireshark-dev] problems with fragmented reassembly on tcp
- References:
- Prev by Date: [Wireshark-dev] What's this??
- Next by Date: Re: [Wireshark-dev] What's this??
- Previous by thread: Re: [Wireshark-dev] problems with fragmented reassembly on tcp
- Next by thread: Re: [Wireshark-dev] problems with fragmented reassembly on tcp
- Index(es):