Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] same PDU over differnt number of TCP-Segements causes wrong reas

From: Robert Naumann <robert.naumann@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Jun 2007 17:27:17 +0200
Hello,

i have got a new problem with tcp_dissect_pdus(). I got a PDU with the fixed header lenght of 8 Bytes, which also contains the lenght of the whole PDU. The lenght-information is stored in the 3th Byte, so the minimum Headersize is 3. The Datalength of the PDU in my cases is always 1 Byte.

In the first case the PDU is split over 4 TCP-Segments:

1. Segment: 1 Byte (PDU Type)
2. Segment: 1 Byte (some stuff)
3. Segment: 1 Byte (length-information)
4. Segment: 5 Bytes (some stuff + one Databyte)

- in this case tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 3 , get_pdu_len, dissect_pdus); works fine
-> get_pdu_len passes 9 as the number of Bytes for the whole PDU
-> reassembling works followed by a correct dissection

In the second case the PDU is only slip over 2 TCP-Segments:

1. Segment: 1 Byte (PDU Type)
2. Segment: 8 Bytes (some stuff + length information + some stuff + Databyte)

- in this case tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 3 , get_pdu_len, dissect_pdus); doesnt work correctly
-> get_pdu_len passes 9 as the number of Bytes for the whole PDU
-> the wireshark-frame only shows [TCP segment of a reassembled PDU] with reassembled 3 Bytes (minimum Headerbytes) -> the rest seems to be ignored, which causes wrong dissection of the following packets in the same direction

I already looked in packet-tcp.c and tried to figure out whats happening. tcp_dissect_pdus() seems to work correctly. I think the problem lies in desegment_tcp() but i couldn't figure out whats wrong.

Any help would be appreciated.
Regards,
<http://dict.tu-chemnitz.de/dings.cgi?o=3021;service=deen;iservice=en-de;query=would>
Robert