Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Malformed packet New dissector

From: "your highness" <zanash@xxxxxxxxx>
Date: Fri, 16 Feb 2007 16:06:52 +0100
Hi everyone,

I managed to write a dissector for a new protocol (Condor) and it
works most of the time ; ) ... Thanks to Jaap Keuter and the README
files. I am starting a new thread for a new problem.

The problem is that I get errors for packets that are spread over
multiple TCP packets.

Condor runs on top of TCP. In the header of each condor packet the
length of the whole packet is given by a 3-octets field, thus as
suggested in the README.developer I used tcp_dissect_pdus() for
reassembling condor packets that span across more than one TCP
packets.

The skeleton of my code that is relevant to this issue is as follows:

static guint
get_condor_pdu_len(tvbuff_t *tvb, int offset)
{
 // total packet length in 2nd, 3rd and 4th octets of a Condor packet
 return tvb_get_ntoh24(tvb, offset+1);
}

static void
dissect_condor_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
 // code removed
 dissect_condor_common(tvb, pinfo, tree); // dissects a single Condor packet
}

static void
dissect_condor_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
 tcp_dissect_pdus(tvb, pinfo, tree, condor_desegment, 3, get_condor_pdu_len,
	dissect_condor_tcp_pdu);
}

I first got the error message [Packet size limited during capture]
when I sent a number of packets together (the length of the packets
together was more than 1024 bytes). But must be caused by the
segmentation by the Data Link Layer. Using tcp_dissect_pdus() solved
this problem. I don't understand how this happens because I supposed
that when a protocol runs on top of TCP, the tcp dissector itself
would take care of reassembly of the Data Link Layer packets. Is my
reasoning correct?

So the problem that I get now appears when I send more than 8192 bytes
(8K). In that case some Condor packets will span accross different TCP
packets, right? Only condor packets in the first TCP packet are
recognized as valid. The other ones are tagged "Malfored packet".

I am using netcat to send files that contain Condor packets for my
tests. Attached is a captured file that contains condor packets of 42
bytes. The first packet that is tagged Malformed has 2 bytes in the
first TCP packets (0x20 and 0x00) and 40 bytes in the second TCP
packet.

Any one has an idea how to resolve this problem?
Thanks, Zana

Attachment: condor_653646.pcap
Description: Binary data