Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] How to handle duplicate fragments for a plugin written on to

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: siri m <svu004@xxxxxxxxx>
Date: Tue, 7 Apr 2009 16:20:37 -0700
Hi all,

I have few questions with regards to eliminating the duplicate
fragments for a plugin written on top of UDP.

Q1: I would like to know how we can obtain UDP CRC from within the
custom plugin written on top of UDP? I tried to get the checksum by
providing a negative offset(-2) to tvb_get_ntohs(tvb, offset), but
that doesn't work. Is there any other way to obtain the UDP CRC from
within my plugin?

Q2: Currently, the re-assembly of the fragments is happening using the:
fragment_add_seq_check and then, process_reassembled_data, which
cannot handle duplicate fragments.
For eg: frag 0, frag 0, frag 1, frag 1, frag 2, frag 2. (assuming
there are 3 fragments). Each fragment contains a seq. no. that I can
utilize.
I tried to use the following:
fd_head = fragment_get(pinfo, uniqueid, msg_fragment_table);
and tried to iterate the through the list to find if there is fragment
with the current fragment number in the msg_fragment_table, and only
then, call the fragment_add_seq_check(...).
Is there a better way to do this? Is there a simpler way to make the
re-assembly code aware that it is a duplicate fragment?

Any suggestions would help me a lot,

Regards,


On 3/26/09, philippe alarcon <philippe.alarcon@xxxxxxx> wrote:
>
> Hi,
>
> If your dissector is on top of UDP, you can check the UDP checksum.
>
> The CRC should be the same for identical fragments.
>
> Regards
> Philippe
>
> Date: Wed, 25 Mar 2009 17:13:35 -0800
> From: svu004@xxxxxxxxx
> To: wireshark-dev@xxxxxxxxxxxxx
> Subject: [Wireshark-dev] How to handle duplicate fragments for a
> plugin	written on top of UDP?
>
> Hi,
>
> We have a legacy custom plugin (written on top of UDP), which handles
> multicast packets which may be fragmented, which works fine for normal
> scenarios. However, the plugin fails to decode for the cases where there can
> be duplicate fragments (for eg. one coming from the actual host and another
> one from a firewall). The fragments are exactly the same excepting that the
> ethernet source address is different.
>
>
> Can someone give me pointers as to how we could handle this special case
> when re-assembling the fragments? Is there a way to ignore packets coming
> from the firewall? Are there any sample plugins that have handled this case,
> which I can refer to?
>
>
> Any suggestions would help me a lot,
>
> Thanks,
> siri
>
>
> _________________________________________________________________
> Téléphonez gratuitement à tous vos proches avec Windows Live Messenger  !
> Téléchargez-le maintenant !
> http://www.windowslive.fr/messenger/1.asp
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube