Wireshark-dev: [Wireshark-dev] Packets within packets within packets...
I'm working on a protocol dissector for several layered protocols on top of TCP and have a general dissection issue for which I'd like some advice or wizardry.
I have a packeted connection protocol on top of TCP, which itself contains packets of another protocol:
TCP
P1
P2
The issue is that the packets of P2 may be split up into multiple packets of P1, and P1 may be split up into multiple packets by TCP. This makes the reassembly and dissection tricky (-;
tcp_dissect_pdus() works beautifully for handling fragmented P1 packets. However, it doesn't help with the recursive problem of P2 packets being fragmented.
Think about what happens when a P2 packet is split across two P1 packets, and each of the P1 packets is encapsulated in a different TCP packet. What is needed is a fancier or more general implementation of tcp_dissect_pdus, updated to handle new-style dissectors. A new-style dissector can return a negative value to indicate that it needs more data from the next protocol up, in order to finish dissecting the packet.
How it should work is that the dissector for P2 would return a negative value indicating how many more bytes it needs to finish dissecting the packet. Then P1 would see that it also needs more bytes, to satisfy P2s needs. So it would return a negative value. Then tcp_dissect_pdus_superduper() would assemble some more TCP payload, and pass it down to P1, which would assemble some more P1 payload and pass it down to P2, which would then be able to reassemble the pesky fragmented P2 packet.
This could also be seen as a plea for generalizing tcp_dissect_pdus() so its not just for TCP.
Any takers on writing tcp_dissect_pdus_superduper (g) ?
-Jon
