Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: [Wireshark-dev] problems with fragmented reassembly on tcp

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Still Life <still.life@xxxxxxxx>
Date: Wed, 04 Oct 2006 18:15:21 +0200

Hi list,
I'm fighting with tcp reassembling but i have always some
problem. i have to dissect a protocol composed by different
messages. Each message had a fixed size header (from 55555555
to messgeId) and in mesageLenght there is the length of the
messages.

           |<-----------------myMsg------------------->|
|---------+--------+----+------------+--------+--||---+
|tcpHeader|55555555|0000|mesageLenght|messgeId|details|
|---------+--------+----+------------+--------+--||---+

In each packet captured by wireshark i can find more of this
messages and the last messages in the packet's payload
(can be a single long message as well) can be interrupted
in avary point by packets fragmentation.


I wrote a dissector in the following manner:

__________________________________________________
if  (((gint)(tvb->length)) < 20)
{ 
    pinfo->desegment_offset = 0;
    pinfo->desegment_len = -1;
return -1; } else { fmessageHead = (guint32)get_k_byte_from_n(tvb, 0, 4); messageId = (guint32)get_k_byte_from_n(tvb, 4, 4); messageChecksum = (guint32)get_k_byte_from_n(tvb, 8, 4); reservedBytes = (guint32)get_k_byte_from_n(tvb, 12, 4); messageLength = (guint16)get_k_byte_from_n(tvb, 16, 2); message = (guint16)get_k_byte_from_n(tvb, 18, 2);
if (((gint)(tvb->length)) < (18 + messageLength)) { pinfo->desegment_offset = 0; pinfo->desegment_len = -1; return -1; 
    }
}
[.....code needed to dissect the message's details....] 

if (((tvb->length) - offset) > 0)
{
   tvbuff_t* new_new_tvb;
   new_new_tvb = tvb_new_subset(tvb , offset, -1, -1);
   dissect_phones_vklone_server(new_new_tvb, pinfo,
                        phones_vklone_server_tree);
   return 1;
}

_______________________________________________________


My idea was to dissect the packet until  the end of the tvb is
reached and if the offset remain less then tvb->length I
call recursively the dissector on the remainig tvb's subset.
At the top I recognize if there is a complete message's header
or not and if yes I check if there is an entire message and ask
for other bytes if needed.

I'm still having problem with some packets.
Is right my approach? Did you notice some big mistake or
have some suggestion for me?
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube