Wireshark-dev: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Fo
From: wsgd <[email protected]>
Date: Thu, 13 Aug 2009 20:36:45 +0200
Selçuk Cevher a écrit :
Hi All,

I am new to Wireshark development and, at this stage, mostly interested in inner workings of Wireshark.
First, I want to make sure that what I currently know about Wireshark 
is correct.
In section 9.4.2 "How to reassemble split TCP Packets" of Wireshark's 
development guide, I saw that an application layer message can be 
carried in a single TCP packet or multiple ones.
If there are multiple TCP packets carrying an application protocol 
message, the application protocol's header is contained only in the 
first TCP packet - The remaining packets have application data only.
In this case, to properly dissect application layer message, split TCP 
packets should be first reassembled. That's why tcp_dissect_pdus() is 
used.
On the other hand, the development guide also says that a single TCP 
segment can carry multiple application messages at the same time.
In this case, it can not be assumed that "the message header is at the 
start of your TCP payload". Does it mean that there might be multiple 
application layer headers in the payload of this single TCP segment, 
and each application header may start from an arbitrary location 
depending on the message size ?
Yes.

Here is a sequence of application messages :
|header||data.......||header||data.......||header||data.......||header||data.......||header||data.......|

With TCP, you can receive them like these examples :
|packet...............||packet...............||packet...............||packet...............||packet...............|
|packet..........................................................................................................................|
|packet..........................................||packet...............||packet...............||packet...............|
|packet......||packet.........................................................................................||packet....|
|packet..||packet......||packet...........................................................................................|
etc ...


Olivier
My second issue is "Follow TCP Stream" command.

How does this command relate to the reassembly of split TCP packets or tcp_dissect_pdus() ?
The implementation of "Follow TCP Stream" command should be more 
complicated since it should cover handling the dropped, duplicated and 
out-of-order TCP packets.
How does Wireshark handle this issues ? Where is the implementation of 
"Follow TCP Stream" command in the source tree ?
I will really appreciate any help on this in terms of comments, 
documents, URLs, etc.
Thanks.
------------------------------------------------------------------------

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe