Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Troubles with tcp_dissect_pdu()

From: "Gerhard Olsson" <gerhard.nospam@xxxxxxxxx>
Date: Fri, 14 Dec 2007 22:48:54 +0100
Probably the same as this bug:
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2103

Preliminary patch exist.

--
Gerhard

On Dec 14, 2007 10:42 PM, J.C. Wren <jcwren@xxxxxxxxx> wrote:
> I have a plugin I've written that uses tcp_dissect_pdu().  I'm
> continuing to have troubles getting a PDU that spans a TCP packet
> working correctly.
>
> A packet in my protocol is a sigil (0xaa), 2 octets that don't matter,
> then an octet that specifies the total length of the packet, less the
> sigil.  So an 8 octet packet would be 0xaa, 0x00, 0x00, 0x07, 0xde,
> 0xad, 0xbe, 0xef.  Packet lengths can range from 8 octets to 127
> octets.
>
> The problem arises when the first four octets span two TCP packets,
> and occurs as the first octet of the in the packet it's spanning into
> (there may be other conditions that I haven't run into yet).
> Wireshark indicates that it's a reassembled PDU, displays the
> following under the [Reassembled TCP Segments (4 bytes): #11(3),
> #12(1)] expansion.
>   [Frame: 11, payload: 0-2 (3 bytes)]
>   [Frame: 12, payload: 3-3 (1 byte)]
>
> In the frame that causes an error, the end of frame 11 has 0xaa, 0x00,
> 0x05, and frame 12 has 0x1e.  The total packet length is 31 octets
> (including the sigil), but the dissector is only showing 4 octets
> total.
>
> I'm pretty sure I've implemented my code correctly, based on the
> examples I've found, and perusing the source code.  I'm hoping someone
> else would be willing to take a look at it, and see if I've done
> something stupid (not unlikely), or if it's an actual PDU reassembly
> issue (less likely).  Specifically the error occurs at the end of
> frame 11, the virtual frame 12, and frame 13.
>
> I've posted a complete zip file at
> http://jcwren.com/wireshark/ws.tar.gz.  This includes the Wireshark
> sources, and a pcap file called 'small.pcap'.  The file in question
> would be plugins/r3/packet-r3.c, with the relevant code at the end of
> the file (please avoid snickering and outright mockery :) )
>
> Any help would be greatly appreciated.
>
> Thanks,
> --jc
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>



-- 
Gerhard
The sender address really contains .nospam.