Just another idea. A fragment of a reassembled SDU/PDU has a
"reassembled_in" field. Maybe we can just provide the logic that a fragment
packet matches the dfilter if it *or* the "reassembled_in" packet matches
the dfilter.
Regards,
Olivier
|-----Original Message-----
|From: Pia Sahlberg
|
|The reassembly stuff needs to be enhanced slightly.
|But one must be careful, there are issues to keep in mind.
|
|First of all we MUST make sure that the reassembly routines
|ONLY pass the
|(fully or partially)
|reassembled packets to the higher layer dissectors only once.
|If we dont guarantee this then we will make request/response
|matching and
|service response time
|calculations semantically undefined/meaningless.
|
|When reassembly is used we also want to defer calling the higher layer
|dissector until the entire PDU
|has been reassembled since tethereal is just single-pass and
|can not go back
|and redissect a packet later.
|(if we say: forget about tethereal, just make ethereal work
|everything
|would become much simpler.
|problem is that tethereal is very useful so we/i dont want to do that)
|
|
|However, the current reassembly is suboptimal in that it is an all or
|nothing feature.
|Either we can reassemble the packet completely and thus we do call the
|subdissector or we cant
|reassemble it fully (missing packet?) and we dont get to call the
|subdissector at all (we dont even call it for what partial
|data we do have)
|This is bad.
|
|
|Maybe we can use pinfo->fd->flags.visited and change reassembly.c as :
|Currently the reassembly functions wil only return a buffer
|when reassembly
|has completed successfully. The reassembly functions will also
|remember in
|which frame reassembly was completed
|so that later, when the packets are redissected, that full
|buffer will only
|be passed back to the caller
|when invoked for that particular frame number. All other
|invokations for
|other fragments of the same buffer will still return NULL.
|This is to make sure that we only pass the reassembled PDU
|back ONCE, and
|that we always pass it back for the same frame number. (dont
|like higher
|layer protocol decodes jumping aound between frame numbers
|when we refilter)
|
|in addition to this also do:
|if the reassembly functions are called and
|pinfo->fd->flags.visited is set
|then assume we have got
|all the fragments we are ever going to get and if the PDU is
|not yet fully
|reassembled then
|just force reassembly of what we have got and pass that back
|as if it had
|been fully reassembled.
|Then at least when we refilter the capture these incompletely
|reassembled
|packets will be dissected as short packets instead of as not
|dissected at
|all.
|
|
|There would still be boundary cases and issues related to when we use
|reassembly with update packet list in real time and refilter
|the capture
|before we have received the fragments m issing from a pdu but
|i guess we
|can live with that.
|
|
|The change proposed above should make the reassembly much
|better and should
|be tested by someone.
|
|
|
|ronnie s
