Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] How to reassemble in dissector plugins if fixed len part is

From: John R. Hogerhuis <jhoger@xxxxxxxxx>
Date: Thu, 13 Mar 2008 18:50:50 +0000 (UTC)
Guy Harris <guy@...> writes:

> 
> Merlin Hooze wrote:
> 
> > For a disector plugin, if the fixed length part of the message is
> > split across tcp segments, can wireshark reassemble it?
> 
> It should be able to do so.  If not, that's a bug.  (That's why the size 
> of the fixed-length part of the message is passed as an argument to 
> tcp_dissect_pdus()).
> 
> There were, in at least some Wireshark releases, bugs that caused that 
> not to work correctly.  Try it with the latest version of Wireshark, 
> and, if it doesn't work, file a bug on bugs.wireshark.org, preferably 
> with a sample capture file that demonstrates the bug (just include 
> enough packets to demonstrate the problem - you can throw all other 
> packets away, as long as loading the resulting capture shows the problem).

Last time I checked it was still a problem.

http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1124 . The bug report shows
that anuj made a comment on 3/12 that he is still experiencing the same problem.

No point in adding a duplicate bug, please update 1124.

This has been languishing for a long time: 2006-09-25. I did my part by making
it reproducible with non-proprietary protocol. Unfortunately I don't understand
the wireshark guts well enough to fix this myself. The code in this particular
area is too hard for my tiny brain to grok.

No one seems to dispute that this is a bug. But I guess it also requires someone
to 'take an interest' in it. Given that few TCP based application protocols send
large numbers of small packets (my application does since it's an RFID reader
sending EPC notifications... smaller the packet, greater the number, increases
dramatically the probability of breaking a header across packets) I was
basically told way back when that the interest level was low.

So unless someone commits to fixing it if it is still reproducible, I am not
putting any more debug time into this one. In any event, the steps to repro are
there for the taking, and probably still repro the bug since this issue comes up
about every month or two.

-- John.