The reassembly stuff needs to be enhanced slightly.
But one must be careful, there are issues to keep in mind.
First of all we MUST make sure that the reassembly routines ONLY pass the
(fully or partially)
reassembled packets to the higher layer dissectors only once.
If we dont guarantee this then we will make request/response matching and
service response time
calculations semantically undefined/meaningless.
When reassembly is used we also want to defer calling the higher layer
dissector until the entire PDU
has been reassembled since tethereal is just single-pass and can not go back
and redissect a packet later.
(if we say: forget about tethereal, just make ethereal work everything
would become much simpler.
problem is that tethereal is very useful so we/i dont want to do that)
However, the current reassembly is suboptimal in that it is an all or
nothing feature.
Either we can reassemble the packet completely and thus we do call the
subdissector or we cant
reassemble it fully (missing packet?) and we dont get to call the
subdissector at all (we dont even call it for what partial data we do have)
This is bad.
Maybe we can use pinfo->fd->flags.visited and change reassembly.c as :
Currently the reassembly functions wil only return a buffer when reassembly
has completed successfully. The reassembly functions will also remember in
which frame reassembly was completed
so that later, when the packets are redissected, that full buffer will only
be passed back to the caller
when invoked for that particular frame number. All other invokations for
other fragments of the same buffer will still return NULL.
This is to make sure that we only pass the reassembled PDU back ONCE, and
that we always pass it back for the same frame number. (dont like higher
layer protocol decodes jumping aound between frame numbers when we refilter)
in addition to this also do:
if the reassembly functions are called and pinfo->fd->flags.visited is set
then assume we have got
all the fragments we are ever going to get and if the PDU is not yet fully
reassembled then
just force reassembly of what we have got and pass that back as if it had
been fully reassembled.
Then at least when we refilter the capture these incompletely reassembled
packets will be dissected as short packets instead of as not dissected at
all.
There would still be boundary cases and issues related to when we use
reassembly with update packet list in real time and refilter the capture
before we have received the fragments m issing from a pdu but i guess we
can live with that.
The change proposed above should make the reassembly much better and should
be tested by someone.
ronnie s
_________________________________________________________________
You could be a genius! Find out by taking the IQ Test 2003. $5.50 (incl
GST). Click here: http://sites.ninemsn.com.au/minisite/testaustralia/
