Wireshark-dev: Re: [Wireshark-dev] TCP Reassembler
From: Michael Ngo <[email protected]>
Date: Wed, 8 Aug 2007 17:29:51 -0700 (PDT)
I attached an example as Richard asked. The sequence
numbers I refer to, are relative sequence numbers.
Also this is not a complete capture, I filtered out
enough packets for explanation purposes. So the
situation is that frame 3 is an out-of-order packet
with sequence number 10876 and length 1058. There is
also frame 16, which has sequence number 11680 and
length 1460. So by looking at this, there is a segment
overlap between the two. So when I call the
tcp_dissect_pdus function in my dissector, it attempts
to reassemble with the wrong length. This length is
miscalculated when it reads the first 12 bytes from
the reassembled frames 3, 16, 17, and so on, in that
order. The correct behavior that I am expecting is
that the suspected retransmissions in frames 5, 7, 8,
10, 11, 12, 14, 15, and 16 are not really
retransmissions. So the reassembler should continue
assembling frames, at frame 5 and then stick in frame
3 where it fits. However in this example, frame 3
overlaps with other frames so it will be redundant
data. So now I have another question. Is there some
option or flag I have to check/change in order for the
assembler to not copy the redundant data?

Mike

--- Richard van der Hoff <[email protected]>
wrote:

> On Wed, 8 Aug 2007, Michael Ngo wrote:
> 
> > Hi
> >
> > I'm not sure if the reassembler is buggy or if I
> am
> > using it wrong. I'm using it like this
> >
> > tcp_dissect_pdus(tvb, pinfo, tree, TRUE, 12,
> > get_foo_length, dissect_foo_message)
> >
> > where get_foo_length returns the length of the
> packet
> > and dissect_foo_message is my dissector.
> 
> <snip>
> 
> I'm totally confused by your description. But
> wiresharks' attempts at 
> packet reassembly in the face of retransmissions and
> out-of-order packets
> are inherently a bit best-effort, as it has to be
> able to do a reasonable 
> job at reassembly with potentially only a single
> pass through the traffic. 
> If you really think it could do better, could you
> supply an example 
> capture with an explanation as to what it's doing
> wrong?
> 
> Cheers
> 
> Richard
> _______________________________________________
> Wireshark-dev mailing list
> [email protected]
>
http://www.wireshark.org/mailman/listinfo/wireshark-dev
> 



       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting 

Attachment: test.pcap
Description: 524190959-test.pcap