Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-dev: [Wireshark-dev] Reassembling splitted PPP packets

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: Hans Glück <hanschris.glueck@xxxxxxxx>
Date: Thu, 5 Mar 2009 05:02:45 -0800 (PST)

Hej,

I´ve written a dissector for a multiplexer-protocol. The payload of these multiplexer packets could be PPP packets, most of these packets will be splitted to several mux packets. 
I´ve tried to reassemble these PPP packets (reading that article 9.4.1. How to reassemble split UDP packets), but it doesn´t work... 
To get the necessary data I´ve added a new header to my multiplexer packet so I have the information about the fragments.

What am I doing wrong?

//Check if there is a PPP packet inside
if (sizeMuxPPPHeader > 0){
   guint16 tmpOffset = 1;
   guint16 tmpOffsetBegin = 1;
   guint16 tmpOffsetEnd = 1;

   //There could be more than one PPP packet in the multiplexer packet
   for (i = 0; i < sizeMuxPPPHeader/7; i++){

      tvbuff_t* new_tvb = NULL;
      fragment_data *frag_msg = NULL;
      guint16 msg_seqid; //ID of the message
      guint16 msg_num;     //Sequence number

      guint8 msg_start;  //Start position of PPP packet
      guint8 msg_end;   //End of PPP packet
      guint8 msg_flag;  //Flag of packet

      tmpOffset = i * tmpOffset+1;

      //Get the necessary data
      msg_seqid = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
      msg_num = tvb_get_ntohs(tvb, tmpOffset); tmpOffset += 2;
      msg_start = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
      msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;
      msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1;

      //Calculate the offset
      tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start; 
      tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end;

      pinfo->fragmented = TRUE;
      frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo,
            msg_seqid, /* ID for fragments belonging together */
            msg_fragment_table, /* list of message fragments */
            msg_reassembled_table, /* list of reassembled messages */
            msg_num, /* fragment sequence number */
            tmpOffsetEnd, /* fragment length - to the end */
            msg_flag); /* More fragments? */


      new_tvb = process_reassembled_data(tvb, tmpOffsetBegin, pinfo,
            "Reassembled Message", frag_msg, &msg_frag_items,
            NULL, mux27010_tree);

      if (frag_msg) { /* Reassembled */
            if (check_col(pinfo->cinfo, COL_INFO))
                  col_append_str(pinfo->cinfo, COL_INFO,
                  " (Message Reassembled)");
            } else { /* Not last packet of reassembled Short Message */
      if (check_col(pinfo->cinfo, COL_INFO))
            col_append_fstr(pinfo->cinfo, COL_INFO,
            " (Message fragment %u)", msg_num);
      }
      if (new_tvb) { /* take it all */
            next_tvb = new_tvb;
      } else { /* make a new subset */
next_tvb = tvb_new_subset(tvb, tmpOffsetBegin, -1, -1);
}                    

Regards, Chris

Follow-Ups:
- Re: [Wireshark-dev] Reassembling splitted PPP packets
  - From: philippe alarcon

Prev by Date: [Wireshark-dev] A simple question about wireshark: confusion about OICQ protocol analysis
Next by Date: Re: [Wireshark-dev] Reassembling splitted PPP packets
Previous by thread: Re: [Wireshark-dev] A simple question about wireshark: confusion about OICQ protocol analysis
Next by thread: Re: [Wireshark-dev] Reassembling splitted PPP packets
Index(es):
- Date
- Thread