Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] tcp_dissect_pdus not reassembling data correctly

From: Hugo Mills <h.r.mills@xxxxxxxxxxxxx>
Date: Wed, 22 Jul 2009 11:39:09 +0100
   Hi,

   I'm trying to write a new dissector for a protocol used by a piece
of software we've developed, and I'm encountering some difficulty
getting tcp_dissect_pdus() to reassemble packets.

   The software that communicates using the protocol is sending the
first four octets (an octet count of the remainder of the message) in
a separate TCP packet, and I'd like to be able to reassemble the two
packets into one for my dissector. However, tcp_dissect_pdus() doesn't
seem to be doing that job: it complains that the first, short, packet
was truncated during capture, and then goes on to treat the second
packet as a new protocol message (leading to a faulty dissection).

   An example dump of a network message is here[1].

   The code I'm using to do the dissection is at [2], running as a
plugin, and I'm using the Wireshark 1.0.2 sources from Debian stable
("lenny") as a development platform.

   Hugo.

[1] http://acet.rdg.ac.uk/~hrm/files/temp/necho-single-message.dump
[2] http://acet.rdg.ac.uk/~hrm/files/temp/packet-tycho.c

-- 
Hugo Mills                                  Research Fellow, ACET group,
                             Systems Engineering, University of Reading.