Wireshark-dev: Re: [Wireshark-dev] Advice needed: desegmentation
From: Guy Harris <[email protected]>
Date: Thu, 17 Aug 2006 16:57:25 -0700
On Aug 17, 2006, at 4:15 PM, Stephen Fisher wrote:

I am working on the dissector for the VNC protocol.  I am trying to
figure out what the best way to reassemble a one message type that spans
multiple TCP segments.  I have come across two different methods in
other dissectors: one that is in the developer's guide using
tcp_dissect_pdus() and the other that sets pinfo->desegment_offset and
pinfo->desegment_len.
Both of those work by setting pinfo->desegment_offset and pinfo- 
>desegment_len; the difference is that, if you use tcp_dissect_pdus 
(), tcp_dissect_pdus() sets them for you, and does other work for you  
as well.

I'm not sure which (if either) of the above will work due to the way
these messages are sent.  The message has multiple rectangle updates
with different types of encoding for each and then pixel data.  The
length of pixel data in each message depends on on the parameters of
that rectangle update (width x height) and its encoding type.  I don't
know how many bytes will span across to the next segment until I reach
the last rectangle update of the current segment.

I need to be able to keep extending the reassembly by another packet as
I go through each packet.  There is no field that tells me how many
segments it will span.  For example, packet #1 may have 10 rectangle
updates and the 10th spans into the next segment.  Once I get to the
next segment, it may have another 10 with the final rectangle update
spans to the next segment.  This may go on for 10-15 packets.  I would
prefer that each of these turn into "tcp segment of a reassembled PDU"
and the final one be the normal dissection of all of the rectangle
updates put end to end.
tcp_dissect_pdus() only works if the length of the entire PDU can be  
determined by looking at a small amount of data at the beginning of  
the PDU (and if the small amount of data is no larger than the  
smallest possible PDU).
It sounds as if you cannot determine the total length of the PDU by  
looking at a small amount of data at the beginning of the PDU; if so,  
tcp_dissect_pdus() cannot work.