ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] problems with fragmented reassembly on tcp

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 4 Oct 2006 18:38:00 +0200 (CEST)
Hi,

Have you checked chapter 2.7 of doc/README.developer?
I guess Wireshark already provides all the tools you need for this.

Thanx,
Jaap

On Wed, 4 Oct 2006, Still Life wrote:

>
> Hi list,
> I'm fighting with tcp reassembling but i have always some
> problem. i have to dissect a protocol composed by different
> messages. Each message had a fixed size header (from 55555555
> to messgeId) and in mesageLenght there is the length of the
> messages.
>
>             |<-----------------myMsg------------------->|
> |---------+--------+----+------------+--------+--||---+
> |tcpHeader|55555555|0000|mesageLenght|messgeId|details|
> |---------+--------+----+------------+--------+--||---+
>
> In each packet captured by wireshark i can find more of this
> messages and the last messages in the packet's payload
> (can be a single long message as well) can be interrupted
> in avary point by packets fragmentation.
>
>
> I wrote a dissector in the following manner:
>
> __________________________________________________
> if  (((gint)(tvb->length)) < 20)
> {
>
>      pinfo->desegment_offset = 0;
>      pinfo->desegment_len = -1;
>      return -1;
>
> }
>                else
>
> {
>
>      fmessageHead = (guint32)get_k_byte_from_n(tvb, 0, 4);
>
>      messageId = (guint32)get_k_byte_from_n(tvb, 4, 4);
>
>      messageChecksum = (guint32)get_k_byte_from_n(tvb, 8, 4);
>
>      reservedBytes = (guint32)get_k_byte_from_n(tvb, 12, 4);
>
>      messageLength = (guint16)get_k_byte_from_n(tvb, 16, 2);
>
>      message = (guint16)get_k_byte_from_n(tvb, 18, 2);
>
>
>
>      if  (((gint)(tvb->length)) < (18 + messageLength))
>
>      {
>
>         pinfo->desegment_offset = 0;
>
>         pinfo->desegment_len = -1;
>
>         return -1;
>
>      }
> }
>
>
>                          [.....code needed to dissect the message's
> details....]
>
> if (((tvb->length) - offset) > 0)
> {
>     tvbuff_t* new_new_tvb;
>     new_new_tvb = tvb_new_subset(tvb , offset, -1, -1);
>     dissect_phones_vklone_server(new_new_tvb, pinfo,
>                          phones_vklone_server_tree);
>     return 1;
> }
>
> _______________________________________________________
>
>
> My idea was to dissect the packet until  the end of the tvb is
> reached and if the offset remain less then tvb->length I
> call recursively the dissector on the remainig tvb's subset.
> At the top I recognize if there is a complete message's header
> or not and if yes I check if there is an entire message and ask
> for other bytes if needed.
>
> I'm still having problem with some packets.
> Is right my approach? Did you notice some big mistake or
> have some suggestion for me?
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube