ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] complex problem

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: fab12@xxxxxxxxxxx
Date: Tue, 18 Oct 2011 11:18:03 +0200
Hello Marcel,

I don't have the solution for your problem but I am basically doing the
same kind of things as you in a plugin dissector.
I do some reassembling probably not in a wireshark standard way and it
seems to work though I think I should have the same problem as you.

In my case the fragments of a given packet may be all in the same
wireshark frame (most of the time) but not always.
What I do is I manage a list of fragment descriptor. Each time I decode a
fragment I create a new descriptor and save it to an ordered list. When I
got the last fragment I do some reassembling.
To avoid to create multiple descriptor for the same fragment I save the
frame number in the descriptor (though I may have used the visited_flag).

For some reason my dissector is only meant to be used from input .pcap
file (not for realtime capture).
I guess you also use .pcap file otherwise you would not have the problem.

It would be useful to had an option in wireshark to request that each time
a new capture file is loaded, it decodes each frame in sequence.
Do wireshark experts thinks it would be too complex?
I tend to think it is not since it merely means applying a filter after
loading the file...

Regards
Fabien


>  On Thu, 13 Oct 2011 11:40:01 +0200, Marcel Haas <inf462@xxxxxxxxxxx>
>  wrote:
>> Hey,
>> maybe the problem isnt so complex to solve but its complex for me to
>> explain. :)
>>
>> I have written my own reassemble code and it seems to work. But i
>> have one big problem.
>> If i set the filter and click apply, it works,because it goes trough
>> every packet.
>> And I get my reassemble msg after the packet but if now click at the
>> reassemble packet there
>> is now reassemble tvb. I know the reason for that cause he interpret
>> every packet one on one
>>
>> Example:
>> Filter is set click at Apply
>> Packet: 1 -frag
>> Packet: 2 -frag
>> Packet: 3 -Reassemble (last frag)
>> If i click at Packet 3 he interprets only packet 3. He doesnt see
>> packet 1 2
>> and so he bulits now Reass Tvb.
>>
>> Maybe im calling my function at the worng position.
>> Code:
>>
>> static void
>> dissect_xxx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree){
>>         ...
>>         if(tree){
>>             ...
>>         }
>>         // Fragment
>>
>> Routine------------------------------------------------------------------------------------
>>         if(totalp >1){
>>                 frag_tvb =tvb_new_subset(tvb,offset2,-1,-1); // Get
>> the TVB
>>
>>
>>
>> big_tvb=ListenElementEinfuegen(NeuesListenElement(snode,pnum,totalp,frag_tvb));
>> // Reass Function
>>
>>                 if (big_tvb) { // Reassembled  Big_tvb != NULL
>>                  col_append_str(pinfo->cinfo, COL_INFO,
>>                          " (Message Reassembled)");
>>                 add_new_data_source(pinfo,big_tvb,"Defrag TVB");
>>      // ADD new Data Source
>>
>>                 } else { // Not last packet of reassembled Short
>> Message  Big_tvb == NULL
>>                  col_append_fstr(pinfo->cinfo, COL_INFO,
>>                          " (Message fragment %u)", pnum);
>>                  col_append_fstr(pinfo->cinfo, COL_INFO,
>>                           " (Frag:  %u)", pinfo->fd -> num);
>>                  col_append_fstr(pinfo->cinfo, COL_INFO,
>>                            " (Visit:  %u)",
>> pinfo->fd->flags.visited);
>>                 }
>>
>>         }
>> }
>>
>> I hope someone understand my problem and have a good idea/solution :)
>>
>> thx and regards
>> Marcel
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>
>> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>  Hey Guys
>  still haveing the same problem..
>  Nobody have an clue for me ??
>
>  Jeff was saying to put my code before if(tree) if i get i right.. but
>  other dissectors use reassembling after if(tree) too.
>  Maybe i can conrtol it by "pinfo->fd->flags.visited" ??
>
>  Regards Marcel
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube