Wireshark-dev: Re: [Wireshark-dev] Multiple Packets in One TCP Segment
From: Aurélien Decagny <[email protected]>
Date: Mon, 17 Aug 2009 23:45:50 +0200
I think this is a stupid question, but anyway:
Why don't you get directly the length of your packet directly in the dissect_sle function?
why not doing something like this:

#include <string.h>
#define LENGTH_LECT 10000

...

static int dissect_sle(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
            char buffer[3]="";
             int i=0, length =0;
             char data[]= NULL;

            data = malloc(tvb_length(tvb)*sizeof(char));

         /* so we put all the hexadecimal data in a string */
           for(i=0; i< (int) tvb_length(tvb); i++)
           {
               sprintf(buffer,"%02x", tvb_get_guint8(tvb, i));
               strcat(data, buffer);
           }

            /* length is a number of octets
* we compare all the octet to see if we have the terminating octet */
            while (data[2*i]!= ... && data[2*i+1]!=...)
              {
                  length ++;
               }

            tcp_dissect_pdus(tvb, pinfo, tree, ... length);

            free(data);
}

Or we can count the number of end character, and call the tcp_dissect_pdus each time. Well in fact this work if the end of character is forbidden in the data, or if we can only find him at the end of a structure. In the second case, it is a little bit more complex, but you can create a new tree each time in the dissect_sle_message() function.
I should have say something stupid, but it seems to me that it can work!

Regards

Aurelien


wsgd a écrit :
Look at <wireshark sources>/doc/README.developer.
2.7 Reassembly/desegmentation for protocols running atop TCP.
2.7.2 Modifying the pinfo struct.


Olivier


Guy Harris a écrit :
On Aug 17, 2009, at 11:22 AM, Aurélien Decagny wrote:

When you use tcp_dissect_pdus, an argument is the length of the data to be decoded.
Unfortunately, in her case, the length can't be determined except by scanning the packet for a terminating character:
  
    
On Aug 14, 2009, at 1:56 PM, Susan Ditmore wrote:

I am developing a packet dissector plugin for Wireshark. The packets
I am dissecting do not specify their length in their header, but
they are terminated by a special character (and can be a variable
length). Additionally, multiple complete packets of the protocol may
arrive in one tcp segment. I would like to know how to tell
wireshark to divide up these packets. I understand there is a
command called tcp_dissect_pdus(), but I believe it needs the length
specified in the header. Is this correct?
so she can't use tcp_dissect_pdus().
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe