Hi,
I'm developing a plugin dissector for a protocol used by
a telephony over IP application on top of TCP protocol.
Wireshark version is 0.99.5.
Packets have this format:
fmessage == one pdu (length=messagelength+18)
|<------------------------------------------>|
| |
|---------+--------+----+-------------+--------+--||---+
|tcpHeader|55555555|0000|messageLength|messgeId|details|
|---------+--------+----+-------------+--------+--||---+
| |
|<------------------------->|<-------------->|
First 18 byte needed to messageLength
determine the pdu length bytes
A single tcp packet can contain one or more fmessage and
can be fragmented.
I wrote a dissector follow this chapter of the developers guide:
<http://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html>
When a single, large pdu is splitted over more TCP packet the
reassembling procedure work fine.
When a single tcp packet contain more pdus the dissection work
fine over all the pdus.
Problem arise in the following case with multiple pdu in the first
TCP packet with the last pdu fragmented before the minimum size
to determine his length (18 bytes):
pdu3 fragmented!
|<-------------...--------------------------->
| This part is in another packet
|---------+----+----+--------+----+...----------+--------+--||---+
|tcpHeader|pdu1|pdu2|55555555|0000|messageLength|messgeId|details|
|---------+----+----+--------+----+...----------+--------+--||---+
^
FRAGMENTED HERE!
(16 byte)
The following TCP packet contain the other piece of the pdu3:
|---------+-------------+--------+--||---+
|tcpHeader|messageLength|messgeId|details|
|---------+-------------+--------+--||---+
In the first packet pdu1 and pdu2 are correctly dissected in detail
but the packet is not marked as frammented and the beginning
of pdu3 is totally ignored last.
The packet with the other part of pdu3 is marked as
[TCP segment of a reassembled PDU]
and never reassembled.
The pdu 3 is missed!
Can anyone suggest me where I'm wrong and/or how to obtain
reassembling work?
My code is as the follow:
___________________________________________________
static const guint numberOfBytesNeededToKnowFmessageLenght = 18;
/* The main dissecting routine */
static int dissect_phones_server(tvbuff_t *tvb, packet_info *pinfo,
proto_tree *tree)
{
tcp_dissect_pdus(tvb, pinfo, tree, TRUE,
numberOfBytesNeededToKnowFmessageLenght, //==18
get_phones_server_message_len,
dissect_phones_server_message);
return 1;
}
/* This method dissects fully reassembled messages */
static int dissect_phones_server_message(tvbuff_t *tvb, packet_info
*pinfo, proto_tree *tree)
{
guint offset = 0;
if (tree)
{
// DISSECTION DETAILS FOR THE FMESSAGE
}
return offset;
}
/* determine PDU length of protocol phones_server */
static guint get_phones_server_message_len(packet_info *pinfo, tvbuff_t
*tvb, int offset)
{
guint messageLength = 0;
messageLength = (guint)get_k_byte_from_n(tvb, offset+16, 2);
return (messageLength+18); // 18 is the lenght of the header
}
________________________________________________________
Thanks,
Fabio
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
VOGLIA DI VACANZE ?
* A Riccione i Family Hotels sono gli alberghi specializzati per le vacanze dei bambini
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8061&d=30-6
