Wireshark-dev: Re: [Wireshark-dev] Multiple Packets in One TCP Segment
From: Guy Harris <[email protected]>
Date: Fri, 14 Aug 2009 17:56:19 -0700
On Aug 14, 2009, at 1:56 PM, Susan Ditmore wrote:

I am developing a packet dissector plugin for Wireshark. The packets I am dissecting do not specify their length in their header, but they are terminated by a special character (and can be a variable length). Additionally, multiple complete packets of the protocol may arrive in one tcp segment. I would like to know how to tell wireshark to divide up these packets. I understand there is a command called tcp_dissect_pdus(), but I believe it needs the length specified in the header. Is this correct?
Yes, it's correct.

There are many different ways of putting messages into a byte stream, so that the receiver can carve the byte stream up.
One of them is to begin each message with a header that includes a  
message length, or that includes data (such as a message type) from  
which the message length can be inferred; tcp_dissect_pdus() handles  
that case.  It does not handle other cases, as they have to be handled  
in a very different fashion.
You might look at req_resp_hdrs_do_reassembly() in epan/ 
req_resp_hdrs.c for code that handles a similar case - the headers for  
protocols such as HTTP continue up to a blank line.