Wireshark-dev: Re: [Wireshark-dev] Reassembly of Split TCP packets - tcp_dissect_pdus() and "Fo
From: Guy Harris <[email protected]>
Date: Thu, 13 Aug 2009 12:31:33 -0700
On Aug 12, 2009, at 11:52 PM, Selçuk Cevher wrote:

On the other hand, the development guide also says that a single TCP segment can carry multiple application messages at the same time.
In this case, it can not be assumed that "the message header is at  
the start of your TCP payload". Does it mean that there might be  
multiple application layer headers in the payload of this single TCP  
segment, and each application header may start from an arbitrary  
location depending on the message size ?

If a TCP segment with multiple application layer packets in it has, at the beginning, the header of the first of those packets, tcp_dissect_pdus() will handle that - it'll call the packet dissector multiple times, once for each of the full packets in that segment.
If the last packet in the segment is continued in the next segment,  
tcp_dissect_pdus() will start reassembly of that packet, so that when  
tcp_dissect_pdus() is called with the next segment, it will continue  
reassembly of that packet.
The only case tcp_dissect_pdus() doesn't handle is the one where the  
first captured segment in the capture starts with something *other*  
than the header of a packet; that would require that it be possible to  
identify PDU headers heuristically and that it scan forward looking  
for the first PDU header.