Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Troubles with tcp_dissect_pdu()

From: "J.C. Wren" <jcwren@xxxxxxxxx>
Date: Fri, 14 Dec 2007 16:42:19 -0500
I have a plugin I've written that uses tcp_dissect_pdu().  I'm
continuing to have troubles getting a PDU that spans a TCP packet
working correctly.

A packet in my protocol is a sigil (0xaa), 2 octets that don't matter,
then an octet that specifies the total length of the packet, less the
sigil.  So an 8 octet packet would be 0xaa, 0x00, 0x00, 0x07, 0xde,
0xad, 0xbe, 0xef.  Packet lengths can range from 8 octets to 127
octets.

The problem arises when the first four octets span two TCP packets,
and occurs as the first octet of the in the packet it's spanning into
(there may be other conditions that I haven't run into yet).
Wireshark indicates that it's a reassembled PDU, displays the
following under the [Reassembled TCP Segments (4 bytes): #11(3),
#12(1)] expansion.
  [Frame: 11, payload: 0-2 (3 bytes)]
  [Frame: 12, payload: 3-3 (1 byte)]

In the frame that causes an error, the end of frame 11 has 0xaa, 0x00,
0x05, and frame 12 has 0x1e.  The total packet length is 31 octets
(including the sigil), but the dissector is only showing 4 octets
total.

I'm pretty sure I've implemented my code correctly, based on the
examples I've found, and perusing the source code.  I'm hoping someone
else would be willing to take a look at it, and see if I've done
something stupid (not unlikely), or if it's an actual PDU reassembly
issue (less likely).  Specifically the error occurs at the end of
frame 11, the virtual frame 12, and frame 13.

I've posted a complete zip file at
http://jcwren.com/wireshark/ws.tar.gz.  This includes the Wireshark
sources, and a pcap file called 'small.pcap'.  The file in question
would be plugins/r3/packet-r3.c, with the relevant code at the end of
the file (please avoid snickering and outright mockery :) )

Any help would be greatly appreciated.

Thanks,
--jc