Wireshark-dev: [Wireshark-dev] Advice needed: desegmentation
From: Stephen Fisher <[email protected]>
Date: Thu, 17 Aug 2006 16:15:55 -0700
I am working on the dissector for the VNC protocol.  I am trying to 
figure out what the best way to reassemble a one message type that spans 
multiple TCP segments.  I have come across two different methods in 
other dissectors: one that is in the developer's guide using 
tcp_dissect_pdus() and the other that sets pinfo->desegment_offset and 

I'm not sure which (if either) of the above will work due to the way 
these messages are sent.  The message has multiple rectangle updates 
with different types of encoding for each and then pixel data.  The 
length of pixel data in each message depends on on the parameters of 
that rectangle update (width x height) and its encoding type.  I don't 
know how many bytes will span across to the next segment until I reach 
the last rectangle update of the current segment.

I need to be able to keep extending the reassembly by another packet as 
I go through each packet.  There is no field that tells me how many 
segments it will span.  For example, packet #1 may have 10 rectangle 
updates and the 10th spans into the next segment.  Once I get to the 
next segment, it may have another 10 with the final rectangle update 
spans to the next segment.  This may go on for 10-15 packets.  I would 
prefer that each of these turn into "tcp segment of a reassembled PDU" 
and the final one be the normal dissection of all of the rectangle 
updates put end to end.

Which desegmentation method is best and will work in this case?  Any 
advice would be greatly appreciated!