Wireshark · Wireshark-dev: Re: [Wireshark-dev] problems with fragmented reassembly on tcp

Wireshark-dev: Re: [Wireshark-dev] problems with fragmented reassembly on tcp

From: "Anders Broman \(AL/EAB\)" <anders.broman@xxxxxxxxxxxx>

Date: Thu, 5 Oct 2006 10:49:30 +0200

Hi,
Lets assume tcp_dissect_pdus() works as expected (if not that's a
separate issue).

If you look at the code in the diameter dissector:
static guint
get_diameter_pdu_len(tvbuff_t *tvb, int offset)
{
  /* Get the length of the Diameter packet. */
  return tvb_get_ntoh24(tvb, offset + 1);
}

static int
dissect_diameter(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
  if (!check_diameter(tvb))
	return 0;
  dissect_diameter_common(tvb, pinfo, tree);
  return tvb_length(tvb);
}

static void
dissect_diameter_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree)
{
  tcp_dissect_pdus(tvb, pinfo, tree, gbl_diameter_desegment, 4,
	get_diameter_pdu_len, dissect_diameter_common);
} /* dissect_diameter_tcp */

Your corresponding code would be something like:

tcp_dissect_pdus(tvb, pinfo, tree, gbl_diameter_desegment, 6 + "length
of length parameter",...
get_diameter_pdu_len Should fetch the length parameter
check_diameter() Should check for the "55's" 

The Fifth parameter to tcp_dissect_pdus()(4 in the example) is the
minimum length required to determine the full length of the PDU.
Which in this case is the number of bytes required to get and including
the length parameter. 
Best regards
Anders

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Still Life
Sent: den 5 oktober 2006 09:40
Cc: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] problems with fragmented reassembly on tcp

Kristof Provost wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> I suspect it will be easier if you use the tcp_dissect_pdus()
function.
> If you can determine the message length without reading the entire 
> message (you can) that's the recommended approach.

I can determine the *message* length only when i have already the
complete header.
Immagine if I capture a multiple message packet and immagine it is
fragmented in a point after the end of the ultimate complete message and
before the mesageLenght field of the broken message:

              |<-----------------myMsg------------------->|
...|---------+------- -+----+------------+--------+--||---+
...|tcpHeader|5555555 5|0000|mesageLenght|messgeId|details|
...|---------+------- -+----+------------+--------+--||---+
                      ^Fragmentation

I can't understand how much byte I have to take to complete the PDU.
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev

References:
- Re: [Wireshark-dev] problems with fragmented reassembly on tcp
  - From: Still Life

Prev by Date: Re: [Wireshark-dev] problems with fragmented reassembly on tcp
Next by Date: Re: [Wireshark-dev] New dissector for Enea's LINX protocol
Previous by thread: Re: [Wireshark-dev] problems with fragmented reassembly on tcp
Next by thread: [Wireshark-dev] What's this??
Index(es):
- Date
- Thread