I have had a similar issue with my plugin. What I see is the following behavior:
. my dissector is called at the beginning of the PDU
. my dissector calls tcp_dissect_pdus(). The length retrieval function yields the correct value for the PDU length, which exceeds the size of the current packet.
. tcp_dissect_pdus() notes that the PDU size exceeds the packet size and sets up the reassembly variables in the packet_info struct.
. tcp_dissect_pdus() returns, my dissector exits.
. Instead of returning to my dissector when the PDU is reassembled, the TCP dissector calls my dissector for each packet within the PDU. Since the packet does not begin on a PDU start, my dissector discards them.
The result is similar to what has been stated here. Each packet is denoted as being part of a reassembled PDU, but the reassembled PDU is never actually returned to the dissector, nor is the reassembly info (i.e. the source frames) ever denoted in the PDU's final packet.
When I traced back into the TCP dissector, I noticed that there was never a non-null tcp_analysis struct associated with the conversation. It was always null. Since this is where flow state is stored, the dissector could never reassemble my fragmented PDUs. I didn't get any further than that, as I got sidetracked onto other projects.
On Fri, Feb 29, 2008 at 12:51 AM, Merlin Hooze <
me_merlin18@xxxxxxxxx> wrote:
Hello Thanks for your response,
The maximum lengths returned by get_myplugin_pdu_len() are 1028 and 17161 .
Is that might be a problem ?
But I cant understand why the message length is showing that big a value as the messages are quite small enough!
Thanks
--- On Thu, 2/28/08, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
> From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
> Subject: Re: [Wireshark-dev] : Plugin dissector not called when wireshark reassembles the message
> To: me_merlin18@xxxxxxxxx, "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx>
> Date: Thursday, February 28, 2008, 5:44 PM
> Hi,
>
> What does get_myplugin_pdu_len() return? I think this value
> is too high, hence the TCP dissector never sees the end of
> the payload.
>
> Thanx,
> Jaap
>
> Merlin Hooze wrote:
> > Hi,
> >
> > I have created a plugin for wireshark, which works
> fine normally but its not able to dissect when the message
> is split and reassembled by wireshark. In my dissector I am
> using the following function as below..
> >
> > tcp_dissect_pdus(message_tvb, pinfo, tree, TRUE, 5,
> > get_myplugin_pdu_len, dissect_myplugin);
> >
> > But when i capture the trace, I can see the protocol
> as [TCP segment of a reassembled PDU] only. Looks like the
> dissector function for my plugin is not called.
> > I guess [TCP segment of a reassembled PDU] is
> displayed when wireshark is reassembling the packets. So
> when its reassembling then why its not calling my dissector
> after it has reassembled ?
> >
> > Any hints ?
> >
> > Thanks..
> >
