Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Dissecting TPKT?

From: "Wiese, Hendrik" <hendrik.wiese@xxxxxxxxxxx>
Date: Thu, 25 Jan 2007 12:02:34 +0100
Hello,

How do I dissect TPKT encapsulated packages? Is there any kind of
documentation aside from the RFC? 

What I've done already is check if it is a TPKT package (is_tpkt...) and
if it isn't (returned length == -1) I call the protocol specific
dissector function directly. If it _is_ a TPKT package, I call
dissect_tpkt_encap with a dissector_handle pointing to my protocol
specific dissector function. But what about split TPKT packages? Are
they merged automatically? And what about TCP packages containing more
than one TPKT package (where the last one might be fragmented as well,
continued in the next TCP package)? Are they split (and merged)
automatically within the TPKT dissector (or anywhere else)?

I have to mention, I don't know much about TPKT. And I've just begun
developing dissectors.

Thanks in advance...

Regards,
Hendrik